AWS IAM Account Security: 5 AWS IAM Best Practices

by Hannah Grace Holladay / November 15th, 2021

AWS provides dozens of cloud services ranging from storage and compute to machine learning and security services. AWS is by far the biggest cloud platform, and thousands of businesses entrust it with their most sensitive data and critical workloads. Ensuring only authorized users can access these assets is the job of AWS Identity and Access Management (AWS IAM). 

As you might imagine, improper use of AWS IAM can create serious security vulnerabilities. This article introduces AWS IAM and discusses five of the most critical AWS IAM security best practices. 

What is AWS IAM?

AWS IAM is a cloud service for managing access to resources in the AWS cloud. As the name suggests, IAM has two main roles:

  • Identity management — verifying that a user is who they claim to be with authentication mechanisms such as passwords, multi-factor authentication, and federated identity management solutions such as Microsoft Active Directory. 
  • Access management — controlling which resources users can access. Each user has a set of permissions that determine the actions they can take within a business’s AWS account. 

These roles mean that IAM is the gatekeeper for AWS resources. If businesses fail to follow IAM best practices, they risk giving unauthorized users access to their data and infrastructure. 

What Are Users, Groups, and Roles in AWS IAM?

When an AWS account is first created, it has a single user. This is the root user, which has complete access to all resources. As we’ll discuss in the next section, the root user should not be used for day-to-day operations. It should, however, be used to create other IAM identities with varying permissions.

IAM provides three primary types of identity: users, groups, and roles. Each has an associated set of permissions, but they serve different purposes. 

  • Users — users represent people, and they are used to give individuals the ability to log in and manage AWS resources. Users are granted permissions, either by attaching a permissions policy or by adding them to a group. IAM users can also generate access keys, which can be used for programmatic access to AWS APIs. 
  • Groups a group is a collection of users. Groups also have configurable permissions, which all members inherit. Groups make it easy to grant permissions to a class of users. For example, a business might create a DevOps group with permissions to manage EC2 instances. 
  • Roles — roles have many of the same properties as users. However, roles are not linked to a single individual, and they do not have log-in credentials. Instead, roles are temporarily assumed by users who need a specific set of permissions to complete a task. 

5 Steps to Secure Your AWS IAM Account

1. Create IAM Users with Appropriate Permissions 

We recommend using the root account to create users, groups, and roles with suitable permissions. Once that’s done, use those identities to manage day-to-day operations. To further improve IAM security, activate multi-factor authentication on user accounts. With MFA turned on, user accounts are safe even if their password is exposed.  

2. Enforce AWS Least-Privilege Permissions

Create permissions policies that provide the lowest possible access.  IAM identities cannot control resources unless they are given permission.  Determine the minimum set of permissions to grant when creating users, groups, and roles. You can always add more later if they’re needed. 

It may be tempting to give users broad permissions in case they need to carry out a particular task. But it is more secure to be restrictive at first, only granting additional privileges when a user finds they are required. 

As your business and its AWS environment evolve, the permissions needed by IAM identities will change. Perhaps a user needed broad permissions to manage resources at one time, but no longer. In that case, their permissions should be restricted and unnecessary access removed. For the same reason, ensure that unused users, roles, and groups are deleted. 

You may also want to use IAM Access Analyzer to refine permissions policies. IAM Analyzer helps businesses to maintain least-privilege access by generating permissions policies based on access activities.  IAM Access Analyzer also provides last-accessed and last-used timestamps that can help you to identify unneeded permissions and unused identities.  

3. Secure the AWS IAM Root Account

As we mentioned above, the root account has universal permissions. It can access and control all resources owned by an AWS account. With its access keys, developers can control those resources via AWS APIs. The root account is uniquely useful, but it is also uniquely dangerous. Attackers may gain complete control of your AWS account if its credentials or access keys are exposed.

Therefore, the AWS root account and its access keys should not be used to manage AWS resources. If your business is already using the root account in day-to-day operations, consider creating new users accounts with limited permissions. Use these instead of the root account. Change the root account’s password and delete its access keys. Use Amazon CloudTrail and CloudWatch to monitor API calls to ensure that you haven’t missed any use of the root account. 

4. Ensure Account Information Is Accurate

AWS may send you security notifications, and it’s imperative they go to the correct email addresses. It’s not unusual for businesses to create AWS accounts with email addresses that aren’t monitored. We recommend designating one or several individuals responsible for checking and responding to notifications. Ensure that their contact details are correctly recorded in AWS and that they regularly check the email inboxes for notifications. 

In addition to the primary email address associated with an account, AWS provides alternate contacts for billing, operations, and security notifications. Businesses can use these addresses to ensure notifications are sent to the right people. 

5. Use AWS Security Hub, Amazon GuardDuty, and other AWS Security Tools

AWS provides several services to help businesses to monitor and improve security. Perhaps the most important is the AWS Security Hub. The Security Hub centralizes alerts from several other services, allowing companies to access high-priority security alerts quickly. 

The services that send alerts to AWS Security Hub include:

  • Amazon GuardDuty, a threat detection service that monitors AWS accounts for malicious activity. 
  • Amazon Inspector, an automated security assessment service. 
  • AWS Firewall Manager, a centralized firewall management service.
  • Amazon Macie, a data security and privacy service that uses machine learning to help businesses to identify and protect sensitive information. 

KirkpatrickPrice’s AWS Cybersecurity Services provide AWS audits and a wealth of actionable information to help businesses identify AWS security and compliance threats and protect their infrastructure and data. Contact a cloud information security specialist today for assistance with your AWS security and compliance challenges.