When aiming to operate secure AWS workloads, there are two types of identities you need to manage. Understanding each of them helps you guarantee that the correct identities have access to the resources they need to access only under the right conditions. On the one hand, there are human identities. These are your administrators, developers, operators, and end-users who require an identity to access AWS environments and applications. This group is made up of members of your organization or external collaborators who interact with your AWS resources via web browser, client application, or interactive command-line tools. On the other hand, there are machine identities. These include your service applications, operational tools, and workloads that require an identity to make requests to AWS services, for example, to read data. The latter includes machines running in your AWS environment, such as Amazon EC2 instances or AWS Lambda functions. In this article, we will discuss identity management best practices for both people and machines, and share useful additional resources recommended by AWS.
Using strong sign-in mechanisms
The first step is to make sure everyone in your organization uses strong sign-in mechanisms by enforcing minimum password length and educating users to avoid common or re-used passwords. Multi-factor authentication (MFA), should be enforced across your organization to provide an additional layer of security. You can create an IAM policy to enforce MFA sign-in. This will restrict all IAM actions with the exception of those that allow a user to assume roles, change their own credentials, and manage their MFA devices on the My Security Credentials page. You should also enable MFA in your identity provider or single-sign-on service. In addition, you could also configure a strong password policy in IAM and federated identity systems to aid you in protecting against brute-force attacks. Lastly, you should ensure administrators of your workload change their credentials regularly for extra protection.
Using temporary credentials
Requiring identities to dynamically acquire temporary credentials will greatly reduce threats. You can use AWS Single Sign-On for workforce identities or federation with IAM roles to access AWS accounts. Implementing least privilege policies and removing unnecessary permissions are also excellent strategies. When it comes to machine identities, you should require the use of IAM roles instead of long-term access keys. Another useful resource when it comes to permissions is resource tags. You can use resource tags to control access to any AWS resources that support tagging and also tag IAM users and roles to control what they can and can’t access.
Storing and using secrets securely
The latest industry standards should be used when storing secrets such as passwords to third-party applications that might be used by your team members or machine identities. You can do this by using AWS Secrets Manager, an AWS service that helps you manage items like database credentials, passwords, third-party API keys, and arbitrary text.
Relying on a centralized identity provider
It’s best practice to rely on an identity provider that enables you to manage identities in a central place when it comes to workforce identities. This will improve your identity management by allowing you to create, manage and revoke access from a single location, thus, reducing the requirement for multiple credentials and providing an opportunity to integrate with HR processes. One of the options available to you is to use Amazon Cognito for centralizing application access. Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily.
Auditing and rotating credentials periodically
As mentioned above, temporary credentials should be used whenever possible. However, in those cases in which that is not a viable option, you should audit credentials to ensure that the predefined controls are enforced, rotated regularly, and have the appropriate access level to maximize security. You can achieve this by using credentials reports and IAM Access Analyzer to audit IAM credentials and permissions. The security of your AWS account can also be improved by regular reviewing and monitoring of each of your IAM policies to make sure only least-privilege access is granted. In addition, you can use AWS CloudFormation to automate the deployment of IAM resources, roles, and policies included, in order to reduce human errors given that templates can be verified and version controlled.
Leveraging user groups and attributes
Users with common security requirements should be placed in groups defined by your identity provider and mechanisms put in place to ensure user attributes that can be used for access control are accurate and up to date. These groups and attributes, as opposed to individual users, should be used to control access according to AWS best practices. This will allow you to manage access centrally by making changes to a user’s group membership or attributes once instead of having to update many individual policies when a user’s access needs change. If you’re using AWS Single Sign-On, you can configure groups of users and assign them the desired level of permission. You should also learn about attribute-based access control (ABAC), an authorization strategy that defines permissions based on attributes.