AWS Cloud: Proactive Security and Forensic Readiness – Part 1
By Neha Thethi, Information Security Analyst, BH Consulting
Part 1 – Identity and Access Management in AWS
This is the first in a five-part blog series that provides a checklist for proactive security and forensic readiness in the AWS cloud environment. This post relates to identity and access management in AWS.
In a recent study by Dashlane regarding password strength, AWS was listed as an organization that supports weak password rules. However, AWS has numerous features that enable granular control for access to an account’s resources by means of the Identity and Access Management (IAM) service. IAM provides control over who can use AWS resources (authentication) and how they can use those resources (authorization).
The following list focuses on limiting access to, and use of, root account and user credentials; defining roles and responsibilities of system users; limiting automated access to AWS resources; and protecting access to data stored in storage buckets – including important data stored by services such as CloudTrail.
The checklist provides best practice for the following:
- How are you protecting the access to and the use of AWS root account credentials?
- How are you defining roles and responsibilities of system users to control human access to the AWS Management Console and API?
- How are you protecting the access to and the use of user account credentials?
- How are you limiting automated access to AWS resources?
- How are you protecting your CloudTrail logs stored in S3 and your Billing S3 bucket?
- Lock away your AWS account (root) login credentials
- Use multi-factor authentication (MFA) on root account
- Make minimal use of root account (or no use of root account at all if possible). Use IAM user instead to manage the account
- Do not use AWS root account to create API keys.
- Create individual IAM users
- Configure a strong password policy for your users
- Enable MFA for privileged users
- Segregate defined roles and responsibilities of system users by creating user groups. Use groups to assign permissions to IAM users
- Clearly define and grant only the minimum privileges to users, groups, and roles that are needed to accomplish business requirements.
- Use AWS defined policies to assign permissions whenever possible
- Define and enforce user life-cycle policies
- Use roles to delegate access to users, applications, or services that don’t normally have access to your AWS resources
- Use roles for applications that run on Amazon EC2 instances
- Use access levels (list, read, write and permissions management) to review IAM permissions
- Use policy conditions for extra security
- Regularly monitor user activity in your AWS account(s).
- Rotate credentials regularly
- Remove/deactivate unnecessary credentials
- Protect EC2 key pairs. Password protect the .pem and .ppk file on user machines
- Delete keys on your instances when someone leaves your organization or no longer requires access
- Regularly run least privilege checks using IAM user Access Advisor and IAM user Last Used Access Keys
- Delegate access by using roles instead of by sharing credentials
- Use IAM roles for cross-account access and identity federation
- Use temporary security instead of long-term access keys.
- Use IAM roles for EC2 and an AWS SDK or CLI
- Store static credentials securely that are used for automated access
- Use instance profiles or Amazon STS for dynamic authentication
- For increased security, implement alternative authentication mechanisms (e.g. LDAP or Active Directory)
- Protect API access using Multi-factor authentication (MFA).
- Limit access to users and roles on a “need-to-know” basis for data stored in S3
- Use bucket access permissions and object access permissions for fine-grained control over S3 resources
- Use bucket policies to grant other AWS accounts or IAM
For more details, refer to the following AWS resources:
- IAM Best Practices
- Logging IAM Events with AWS CloudTrail
- Security Checklist – General
- AWS Security Best Practices
- Protect your S3 bucket in a right way
Next up in the blog series, is Part 2 – Infrastructure Level Protection in AWS – best practice checklist. Stay tuned.
Let us know if we have missed anything in our checklist!
DISCLAIMER: Please be mindful that this is not an exhaustive list. Given the pace of innovation and development within AWS, there may be features being rolled out as these blogs were being written. Also, please note that this checklist is for guidance purposes only.
Sign up to receive CSA's latest blogs
This list receives 1-2 emails a month.