Over the past few years, the cloud has become more and more a part of many companies. It brings many good opportunities to be creative, to learn and to experiment with new things. During this journey, people can be excited and—because it’s very easy to do—will create a lot of resources. As an administrator, we must keep all those resources safe for our customers and Axway. In this post, we will focus on the best practices on AWS (Amazon Web Services) specifically for the IAM service.
IAM (Identity and Access Management) allows you to control who is authenticated and authorized to do an action/operation on a resource. This is where you manage your users, their permissions, policies and more.
Where to start?
Here are five best practices to keep your data and resources safe:
- Avoid the usage of the root account. The root account has access to all services and all resources. With the root account, basically, you can do everything. Instead of using the root account, AWS advises you to create a user with administrator permission to use for your everyday tasks. Keep the root account credential safely in a password manager like KeePass or Strongbox.
- Force the usage of the multi-factor authentication (MFA) for all IAM users. During the RSA security conference, Microsoft said around 0.5% of all accounts (1.2 million in January 2020) get compromised each month due to the lack of MFA. If you do not want to be one of those compromised accounts, use multi-factor authentication.
- Configure a strong password policy. A strong password policy can make it tough for a user to remember their password. It’s recommended to use a password manager as it allows you to store and generate random passwords.
4. Grant the least privilege possible. For example, when a user only needs to power-on/power-off their EC2 instance, you don’t need to grant them permission to delete an instance or access to another service. The fewer privileges you grant users the better you will be even if it takes time to get it right.
5. Rotate access keys as much as possible. Because access keys allow you to have programmatic access to your AWS account without any password, they are a very sensible approach to access security. However, you still need to manage access keys with the same level of care you use for passwords.
An example of a very common mistake is a user who has pushed their code on GitHub with their access key hardcoded in a file. This mistake will give any hacker who reads that code access to the AWS account. AWS can send you an email when they are aware of an access key publicly available online. There isn’t an easy way for you to control this type of error so keep your eyes open!
There are more IAM best practices published on the AWS website that can definitively help you increase security on your AWS account. There is also a CIS (Center for Internet Security) AWS Foundation Benchmark which was published by security experts to help organizations to improve security on several AWS services. Making sure you have a secure account is a difficult journey but the path to reduce the risk is well laid out—just follow these five best practices. Discover Axway and Cloud with AWS PrivateLink: Easy and Secure.
Read how Axway joins the Amazon Web Services Partner Program as an Advanced Technology partner. Digital benefits for the future.