Show
If you want to explore the basics of IAM, you can download our eBook on “IAM For Cloud Dummies.” Identity and Access Management (IAM) systems provide the capability to create and manage user accounts, roles, and access rights for individual users in an organization. They typically incorporate user provisioning, password management, policy management, access governance, and identity repositories in an often-complex design. Because providing IAM is a colossal task, you’re likely to face many challenges. You may be asked to confirm the accounts in your IAM system and the access rights for each, which can be a daunting and challenging task. Unfortunately, the environments that IAM systems support are often subject to both persistent attacks and inadvertent permission creep due to changing roles and rights within your organization. To ease out the pain that IAM has been, we are listing 6 best practices that you can incorporate: 1. Multi-factor Authentication (MFA) is a mustMFA is the first step in creating layers of trust. Apart from the passwords known only to the user, there are two layers of authentication i. A key or a security pass that they already have. MFA ensures that even is the hacker has breached one layer; then there is another layer of security that the hacker has to breach to access your cloud. So, MFA should be mandatory. 2. Never share account credentialsThis should be basic while handling credentials that can be used to access your cloud infrastructure. Instead of sharing accounts, create individual IAM users for employees that need to access cloud resources. This allows the admin to assign a unique set of permissions to different users based on one’s job requirements. 3. Always audit access to resourcesIt’s essential to regularly review your organization’s IAM policies to ensure they’re granting the least privileges. Reviewing the access logs adds another layer of security to your cloud infrastructure. The admins can see who accessed what and when. 4. Enforce a strong password policyAccording to Skyhigh, the top 20 most common passwords account for 10% of all passwords. The number suggests that a hacker can infiltrate one out of twenty user accounts without any brute-force attacks if one happens to use a most common password such as “123456” and “password.”
5. Remove the unnecessary IAM users and associated credentialsIn 2019, various cloud breach cases were involved with the ex-employees. How did they get access to the cloud infrastructure? Using their existing credentials. Every unnecessary IAM user should be removed to minimize the risk of being stolen or giving away an easy entry point to the hackers. The audit step mentioned above should be able to help you figure out which IAM user has not logged for a longer period, and proper steps should be taken whether to delete or revoke the permissions. 6. Do not embed keys into code or instancesWhen writing codes, it seems convenient enough to store keys in the code itself or the environment, but it welcomes only vulnerability. Even if the keys are encrypted, there is a high possibility that the hackers will be able to extract those keys. The recommended practice is to use Azure Service Principal, GCP Service Accounts, or AWS Roles if you are using either of the cloud services. To get exclusive cloud security content right into your inbox, subscribe to our newsletter.  Amazon Web Services (AWS) Identity and Access Management (IAM) features include groups, users, IAM policies, IAM roles, and identity federation to help run your cloud architecture in a secure manner. In this article, we’ll delve into five IAM advanced best practices that can significantly boost cloud security. 1. Enable multi-factor authentication (MFA) for privileged usersStrong passwords are a must for securing enterprise data and networks, but that is not enough. Most breaches occur due to compromised authentication. Security experts highly recommend multi-factor authentication. It mandates any two of the three factors mentioned below before access is granted to any system:
Adhering to best practices, AWS has mandated multi-factor authentication for all privileged IAM users. These are users who have access to APIs or other sensitive resources. AWS provides a couple of options to its users to enable the second level of authentication:
2. Use Policy Conditions for Extra SecurityPolicies are a set of JSON statements which provide certain permissions to users. To add more security, AWS has added an optional component called ‘Conditions’ to policies. Condition block always returns a boolean output : ‘true’ or ‘false’, which decides whether a policy grants or denies the request. For example, one can write a condition that all requests coming from a particular subnet should not be allowed access to any resource. Or subnet X.X.X.X should be allowed access only for next week. Let’s see the basic condition block. Here, condition operator – “DateLessThan” specifies that access to a particular resource is up to 2017-10-15 and key – “aws:CurrentTime” is compared to the value which determines the permissions. “Condition”: { “DateLessThan” : { “aws:CurrentTime” : “2017-10-15T12:00:00Z” } } A condition block can further contain multiple conditions (Condition 1 and Condition 2 in diagram below) which will be assessed by a logical AND. Also, multiple keys within one condition uses a logical AND and if a key contains multiple values, a logical OR operator is used for evaluation. AWS provides a long list of conditional operators needed for various comparisons. These operators can be grouped as:
Though all of these operators have their own significance, we will explain the ‘Null’ conditional operator with an example. Null operator is used to check if a particular key is present. ‘True’ implies that key is not present while ‘false’ points that key is present. In the below example, key is “aws:TokenIssueTime” and as per the logic, access to EC2 resource is denied in case the user is using temporary credentials. { “Version”: “2015-12-20”, “Statement”:{ “Action”:”EC2:*”, “Effect”:”Deny”, “Resource”:”*”, “Condition”:{“Null”:{“aws:TokenIssueTime”:”false”}} } } 3. Remove Unnecessary CredentialsIt is always a good security practice to regularly audit user credentials and remove them in case they are not in use. AWS provides an out-of-the-box ‘credential report’ which helps you track the lifecycle of passwords and access keys. The report includes user details, date created, when the password was last used, and when the password was last changed. Also, if you have set the password rotation policy, this report mentions the date and time at which the user is supposed to change the password. For access keys, reports highlight whether a user has an access key and if it is active or not; date and time when the key was rotated or created, when the access key was used for the last time, AWS region where the key was used for the last time, and the AWS service (Amazon S3, EC2) where the key was used. These details are quite useful for internal and external audits. With AWS, you can grant a role to an auditor so he/she can directly download the credential report on a requirement basis. Credential reports can be generated every four hours. If you try to generate a new report within four hours, the last-generated report will be shared with the user. AWS IAM internally checks when the last report was generated and takes a decision whether to generate a new one or not. There are multiple ways to generate a credential report (as mentioned below) but the simplest one is to log into the AWS management console → open the IAM console → click “credential report” in the navigation panel → click “download report” (a comma-separated values file is available for your reference).
4. Use AWS-Defined Policies to Assign Permissions Whenever PossibleIf you’re new to AWS world and struggling to create and maintain your own policies for different job functions, consider starting with out-of-the-box AWS-defined policies whenever possible. These policies are well-aligned to common information technology functions ranging from the finance guy responsible for billing to the data scientist executing hadoop queries, or the network administrator who sets up, configures and maintains databases in the AWS cloud. For example, ‘Network Administrator’ policy grants access to setup and maintain network for Amazon EC2, Amazon Route 53, Amazon Virtual Private Cloud (VPC), and AWS Direct Connect. A major benefit of using these policies is the auto-update functionality AWS provides. As these policies are updated whenever a new AWS service or API is introduced. This saves lot of time and makes life easier. For example, AWS manages a policy called ‘ReadOnlyAccess’ which provides read access to all AWS services and resources. Let’s say a new service is launched by AWS. AWS will make sure that ‘ReadOnlyAccess’ policy is updated with this newly launched service. Also, this change will be applied to all the entities (group, user, or role) wherever ReadOnlyAccess policy is already attached. AWS defined policies cannot be modified by end users; those rights rest solely with Amazon. One can make a copy of AWS policy and make required customizations but that copy will not be an AWS policy and hence will not be updated by AWS with new services or APIs. The diagram below demonstrates how an AWS managed policy can be applied to multiple accounts – AWS Account1 and AWS Account2 respectively – and to different roles in the same account: Role EC2-app and Role ThirdPartyAccess in AWS Account1. Here, AWS policies under consideration are AdministratorAccess, PowerUserAccess and AWSCloudTrailReadOnlyAccess. Figure 2: AWS Managed Policy 5. Use Groups to Assign Permissions to IAM UsersIt is always easier to create groups and assign permissions to them than to define permissions for individual users. Using Figure 2 above, policy ‘AdministratorAccess’ is assigned to group ‘Admins’ and the same access percolates to User ‘Alice’ and ‘Susan’ on its own. This way, one can create multiple groups related to various job functions (Administrator, Security Auditor etc.) and assign relevant permissions to each group before tagging users to those groups. This methodology for managing permissions is not only easier. It is more secure and manageable, too. For example, whenever there are inter-departmental moves, one simply needs to place the individual in another group rather than redefining the whole set of permissions. The Importance of Following IAM Best PracticesAWS is a vast and complex system, but it provides a free service in the form of Identity and Access Management, the first step towards securing your cloud resources. By following IAM best practices such as multi-factor authentication and removing unused credentials with timely audits, the chances of a security breach can be greatly reduced. If you want to save the time and energy needed to define your own policies, AWS-defined policies are the best place to start. These policies are well-aligned to common IT job functions. These IAM best practices can help to easily manage AWS users, groups, roles and permissions and improve the security of your AWS resources. Ready to Implement IAM Best Practices?Schedule a demo to learn how CloudCheckr can help you implement IAM best practices and meet other benchmarks for security, compliance, and more. |
What are some of the recommended best practices for identity and access management IAM they can put in place to make sure their accounts are secure?
Postagens relacionadas
direito autoral © 2024 comojogaruno Inc.
