LAS VEGAS -- If there was one clear theme from the security-focused technical sessions Wednesday at the inaugural AWS re:Invent conference, it's that the diligent use of IAM tools and best practices is critical in securing AWS cloud environments.
If you don't have multifactor authentication on your root account, you're fundamentally protected only by a password.
director of AWS identity
During one talk that focused on using the SANS Institute's CSIS 20 Critical Security Controls as a baseline to secure an Amazon Web Services (AWS) cloud environment, AWS Principal Security Solutions Architect Max Ramsay said identity and access management (IAM) techniques are essential for applying several of the controls.
For instance, for CC1, inventory of authorized and unauthorized devices, Ramsay advised using AWS IAM tools to create a separation of duties so only people authorized to create and launch services can do so.
He said it's also useful for CC12, controlled use of administration privileges, as a means of setting specific levels of access for third parties and short-term users. For instance, contractors hired for a specific role can be given access limited to their duties, while auditors can be given read-only accounts so they can see an entire infrastructure, but not make changes to it.
Jim Scharf, director of identity and access management for AWS, spoke on the specific IAM features of AWS. He said the AWS IAM administration design attempts to combine simplicity for startups and first-time cloud users, while also offering granularity of features so that even large enterprises have the IAM features they need.
Scharf said that granularity allows restrictions to the extent that a user can be given read-only access to files from the Amazon Simple Storage Service (S3), time and location-based access so a user can only access services from a certain location during a certain time of day, or even require multifactor authentication before access to certain files is granted.
Using the example of an entrepreneur who needs to assign different access privileges for various business groups in his startup company, Scharf discussed what sort of business functions AWS IAM can support.
An IT operations team, Scharf said, can quickly be given full access to all systems. This group would also need to have what he called access key IDs generated for each user in order to make service calls to other AWS services.
For a sales and marketing team that only needed basic read-only access, Scharf noted that one of the AWS templates can be used to speed up the provisioning process. Conversely, for a developer group that may need fine-tuned access levels for a variety of systems and files, the policy generator feature can be used to create a custom policy.
All user provisioning can be done in just minutes, Scharf said, but the system uses a default-deny model, meaning that not only does a user account need to be created, but that user's access also must be enabled, serving as a final check so the administrator has an additional opportunity to confirm the access rights.
Scharf also discussed IAM roles for EC2, a feature announced earlier this year that enables easier creation of instances in Amazon's Elastic Compute Cloud (EC2). Credentials are automatically provisioned out to EC2 instances, ultimately enabling applications on EC2 to securely access AWS service application programming interfaces.
For large enterprises, Scharf detailed how to ensure AWS access adheres to an enterprise policy using several built-in features, such as requiring multifactor authentication for all administrators via either a token device or smartphone app, and password length requirements to the extent which non-admin-level users can control their passwords.
As a top action item for AWS customers, Scharf strongly encouraged organizations to ensure their root accounts require multifactor authentication by default.
"If you don't have multifactor authentication on your root account, you're fundamentally protected only by a password. That's not ideal," Scharf said. "You should all configure multifactor authentication on your accounts before you leave Vegas. Seriously."