DEV Community

Cover image for 5 Best Practices for Securing Your AWS Environment with IAM
Joao Marques
Joao Marques

Posted on

5 Best Practices for Securing Your AWS Environment with IAM

Managing access and permissions in AWS is critical for maintaining the security and integrity of your cloud environment. IAM is a strong framework designed by aws, and you are responsible for making good use of it and keep your project safe from hackers.

1. Create IAM groups to separate access

image_1
image_1

IAM groups are collections of IAM users. Instead of assigning policies directly to each user, you can attach them to a group. Users in the group inherit the group's permissions, making it easier to manage access at scale.

In this image, you have the flexibility to assign custom privileges specifically to Nick. Additionally, you can grant extra custom privileges to any other user within any group as needed.

2. Principle of least privilege

Grant users, roles, and services only the permissions they need to perform their tasks. Avoid using overly permissive policies like Administrator Access or * permissions.

Instead of this policy:

{
  "Effect": "Allow",
  "Action": "*",
  "Resource": "*"
}
Enter fullscreen mode Exit fullscreen mode

Use short permissions for specific actions and resources:

{
  "Effect": "Allow",
  "Action": ["s3:GetObject"],
  "Resource": ["arn:aws:s3:::example-bucket/*"]
}
Enter fullscreen mode Exit fullscreen mode

3. Use multi-factor authentication (MFA)

Enable MFA for all users, especially for high privileged accounts like root user or admin users who has AdministradorAccess policy. MFA provides an additional layer of security by requiring a second factor, you can use your mobile or an external device.

image_2
image_2

There are some Apps that you can download in app Store like google authenticator (my preferred), authy.

4. Avoid using root account for daily operations

The root account has unrestricted access to all resources in your AWS environment. Use it only for initial account setup and specific administrative tasks. Create individual IAM users or roles for daily operations.

5. Configure the password policy for your users

Access keys and passwords should be rotated periodically to reduce the risk of unauthorized access.

You can configure this in:

IAM > Account Settings > Edit password policy

image_3
image_3

Align with industry standards or your company policies.

My opinion about this:

Aws is responsible for everything that they do, for example their infrastructure, their network security and the vulnerability analysis of the services they offer.

But regarding IAM, you are responsible for creating your own Users, groups, roles, policies, monitoring, for enabling MFA to the accounts, rotating your keys often, analysing the access patterns and review given permissions to groups/users/roles.

Never forget these concepts because it can lead to security breaches for your organization, I hope I helped you somehow!

Top comments (0)