Ensuring the right users have access to the right information is a critical security control every enterprise should...
employ. However, completing this task is not always easy, especially as companies today become more distributed and dispersed across both physical and virtual environments.
The security principles that apply to Amazon Web Services' (AWS) identity and access management (IAM) are similar to those that should be applied elsewhere in an enterprise network.
Users can log into the AWS management console with access keys or username and password combinations, with the option of multifactor authentication (MFA). If an organization is relying on AWS to deliver its infrastructure, protecting the accounts that provide administrative access to the AWS console is paramount. Let's take a closer look at AWS identity and access management.
Managing AWS users
One key point to state here is that the AWS root user should never be shared or used for access; a new account should be created for each person and service requiring access in the cloud. Users and groups are granted access based on policies that can be designed within AWS, in a similar manner to Active Directory. When designing these policies, always use the principle of least privilege; grant each user access only to the resources required to perform their specific role within the environment. This will reduce the risk of accidental changes being made by users not trained in all areas of AWS, and will reduce the impact if an account is compromised.
It is also important to review the roles assigned to users on a regular basis; as job roles change, so should the permissions within AWS.
AWS supports the concept of federated users, which are not managed within AWS. These are users that require single sign-on or temporary access to AWS. This can, for example, be access granted based on Active Directory groups using single sign-on. However, be aware that if a user's Active Directory password is compromised, their AWS access will be compromised, too.
AWS password policy
The password policy for AWS users can be defined within the AWS management console. This should be configured, at a minimum, to comply with the organization's password policy. However, to provide maximum resistance to password-guessing attacks, the policy should require the use of complex passphrases of more than 14 characters, prevent the reuse of previous passwords, and enforce regular password changes.
AWS also permits the use of access keys for authentication. This is generally used by service accounts that require access to Amazon as part of an automated process. It is a best practice to restrict the use of this authentication type and not enable it for real users.
Managing AWS IAM with multifactor authentication
Multifactor authentication (MFA) can offer significant benefits to an enterprise, providing an extra layer of protection beyond that of just a password or PIN. Using MFA on all users is recommended, as it removes the risk of brute force attacks.
AWS identity and access management for secure cloud infrastructure
Amazon offers three MFA choices: a soft token that can be deployed on mobile devices, or two types of hardware tokens. The hardware tokens cost either $12.99 or $19.99. For most organizations, the soft token would be perfectly adequate -- and it has the advantage of no additional cost. Using MFA for all users is recommended, as it removes the risk of brute force attacks.
In conclusion, AWS provides all the tools required to configure strong identity and access management in the cloud; organizations just need the knowledge of what the most secure choices are for their business' needs. Follow the advice in this article and your enterprise will take a significant step in deploying a secure cloud infrastructure.
About the author:
Rob Shapland is a penetration tester at First Base Technologies, where he specializes in Web application security. He has used his skills to test the websites of companies that range from large corporations to small businesses using a wide variety of Web technologies. He is a firm believer that all penetration testing should have manual techniques at their core, using automated tools to support these skills. He is also involved in network testing and social engineering.
Get numerous tips on successful IAM implementation in this cloud Security School