This content is part of the Essential Guide: Use this AWS cloud security guide to protect workloads

Five AWS IAM best practices to bolster cloud security

To mitigate risks and protect cloud resources, many organizations rely on AWS IAM policies. Use these five tips to learn the basic features -- and limitations -- of the service.

Identity and access management plays an essential role in any cloud security strategy. Those who need access to cloud resources should receive it -- but only to the extent in which they need it. IT administrators, for example, require higher levels of cloud access than an end user.

AWS' Identity and Access Management (IAM) service acts as a directory through which admins can grant, restrict and track users' cloud access privileges. Not only does this help IT teams control in-house access to the cloud, but it also acts as a first line of defense against outside intrusions and hackers.

But before admins get started with the service, they should familiarize themselves with certain AWS IAM best practices. These include how to create and manage IAM accounts and how to supplement the IAM service with other native and third-party tools.

Here are five tips to increase cloud security with AWS IAM.

Master the basics of AWS IAM

Admins can access AWS IAM through the web, API or command-line tools. AWS Command Line Interface (CLI) provides an administrator with more granular control over IAM activity, with the ability to perform tasks more quickly through scripts. When admins choose to access the IAM service through APIs or software development kits, they can integrate legacy and third-party tools for additional IAM features.

IAM works with several different credential types, such as Secure Socket Shell keys, AWS access keys and passwords, to authenticate users. AWS does not automatically assign IAM permissions to users, so admins must perform that task through policies. A set of commonly used permissions, called AWS managed policies, includes low-level features, such as read-only access for certain cloud services, while admins can also create custom policies and permissions for specific users, groups and roles, as needed, through AWS Management Console, CLI or IAM API.

Implement AWS IAM roles, other features

Among other AWS IAM best practices is the use of roles, which admins can use to create permissions for different users, services and workloads.

To create IAM roles, administrators use the IAM console, API or AWS CLI. First, they need to identify the specific services or accounts that will assume the role, as well as the resources that the role can access. After defining these specifications, the admin will need to launch the target instance to enable the role.

In addition to roles, an admin can implement security features, such as identity federation and multifactor authentication (MFA). Identity federation differs from IAM roles because it enables an administrator to assign access permissions to resources that weren't initially created in IAM. Federated users receive access through permissions or roles and use temporary security credentials.

With MFA, admins can combine usernames and passwords with authentication codes created by an MFA device.

Automate with service-linked IAM roles

To automate certain parts of the identity management process, admins can use service-linked IAM roles. These roles enable an IT team to predetermine trust policies and permissions for specific cloud services, such AWS Elastic Beanstalk. When a user invokes one of these services, AWS will automatically link it to its corresponding role. This saves admins time and speeds up service configuration.

To determine which services support service-linked roles, admins can use the IAM Roles page of AWS Management Console. Only a limited number of AWS' offerings currently support service-linked roles, but administrators receive a message when a new role is available for use.

While these roles can eliminate some time-consuming administrator tasks, it is important to minimize session times for roles. This is one of the AWS IAM best practices that's in conjunction with the principle of least privilege.

Supplement IAM with CloudTrail, third-party tools

Some AWS IAM best practices require admins to look beyond the service itself.

For example, logging tools, such as AWS CloudTrail, are a good complement to the IAM service, helping admins stay on top of compliance requirements and track API requests. In addition, third-party and open source tools, including Chalice, can help automate IAM policy creation to save admins time.

However, while third-party tools eliminate or accelerate some mundane management tasks, they often lack flexibility and require extra admin oversight. Compared to testing AWS-native tools, tests for third-party tools can generate some unintended consequences that affect cloud security. Lastly, to stay on top of security protocols and limit vulnerabilities, third-party vendors need to update their tooling as regularly as AWS updates its IAM APIs.

Manage access across multiple AWS accounts

AWS IAM contains a cross-account feature that enables administrators to grant permissions to users in different AWS accounts. With this feature, end users can access data from its source without the need to replicate storage resources across multiple AWS accounts, such as one account for staging and another for production.

For example, administrators could use the cross-account feature to define how they want staging account users to access the production account and its associated resources, without having to create new IAM roles for the production account.

Next Steps

Step-by-step guide on how to create an IAM user in AWS

Dig Deeper on AWS infrastructure

App Architecture
Cloud Computing
Software Quality