Essential AWS - IAM Best practices

My way to AWS Solutions Architect

IAM best practices

  1. Lock down the AWS root user

    The root user is an all-powerful and all-knowing identity in your AWS account. So, you need to be careful with malicious users were gain control of root-user credentials.

    • Don't share the credentials associated with the root user.

    • Consider deleting the root user access keys.

    • Activate MFA on the root account.

  2. Follow the principle of least privilege

    • To grant only the necessary permissions to do a particular job and nothing more.
  3. Use IAM appropriately

    • IAM provides a way to create and manage users, groups, and roles to access resources in a single AWS account.

      NOT used for website authentication and authorization.

      NOT support security controls for protecting operating systems and networks.

  4. Use IAM roles when possible

    • Maintaining roles is more efficient than maintaining users. When you assume a role, it provides temporary credentials that expire after a defined period of time. Users, on the other hand, have long-term credentials, and these only expire when you or the account admin rotates the keys.
  5. Consider using an identity provider

    • An identity provider provides a single source of truth for all identities in your organization. For example, your employee Matcha has access to multiple AWS accounts. Instead of creating and managing multiple IAM users for each of those AWS accounts, you could manage Martha in your company's IdP.
  6. Regularly review and remove unused users, roles, and other credentials

    • IAM provides last accessed information to help you identify irrelevant credentials that you no longer need so that you can remove them, reducing the number of resources that you have to monitor.