SEC309 Secure Your Cloud Investment: Mastering AWS Identity Access Management (IAM)
- 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Aaron Newman, Co-Founder & CEO, CloudCheckr
July 26, 2017
Secure Your Cloud Investment
Mastering AWS Identity and Access Management (IAM)
- 2. What and why AWS Identity and Access Management
(IAM)?
10 IAM Best Practices
Using CloudCheckr to monitor best practices
Agenda
- 3. • It's all about reducing attack surface and eliminating risk
• Humans are the weak link in most security systems
• Poor use of IAM is (one of) the biggest security weakness
Why do we need IAM
best practices?
IAM Best Practices
- 5. Department of Defense data discovered
on an AWS server that was left unprotected
"Sensitive government information from an American defense contractor was recently
found without password protection on an AWS server. It was free for anyone to access
— no password required."
The information was housed in a publicly accessible Amazon S3 cloud storage “bucket.”
https://thenextweb.com/security
/2017/05/31/department-
defense-data-discovered-
unprotected-amazon-server/
Timely Real-World Example
- 9. Use Federated Access from Outside of AWS
Use the same identity management system you use for everything else
in your organization.
https://aws.amazon.com/iam/
details/manage-federation/
Best Practice #1
- 10. Use IAM roles not accounts
IAM access keys are just waiting to be leaked
Examples:
Cross-account roles, instance roles, etc.…
When using IAM cross-account
roles don’t forget about the
confused deputy problem:
https://en.wikipedia.org/wiki/Confus
ed_deputy_problem
Best Practice #2
- 11. Rotate all IAM access and secret access keys on a regular basis
Set a policy for how often
Policy can vary based on situation
Wait to see how hard it is to actually accomplish
https://aws.amazon.com/blogs/
security/how-to-rotate-access-
keys-for-iam-users/
Best Practice #3
- 12. Don't leak your AWS access keys
Pushing Access Keys to GitHub is a common accident
What to Do If You Inadvertently Expose an AWS Access Key
https://aws.amazon.com/blogs/security/what-to-do-if-you-inadvertently-expose-an-aws-
access-key/
https://wptavern.com/ryan-
hellyers-aws-nightmare-leaked-
access-keys-result-in-a-6000-
bill-overnight
Best Practice #4
- 13. Delete Stale or Unused Access Keys
If an IAM access key is not being used, delete it
More complicated deleting root access keys
Create a policy around aging of stale or unused
90 day? 365 day?
Look at AWS method generate-credential-report
Best Practice #5
- 14. Set IAM Password Policies
Account by Account setting
Nine Password Policy Options
Minimum password length
Require at least one uppercase letter
Require at least one lowercase letter
Require at least one number
Require at least one nonalphanumeric character
Allow users to change their own password
Enable password expiration
Prevent password reuse
Password expiration requires administrator reset
http://docs.aws.amazon.com/IA
M/latest/UserGuide/id_credenti
als_passwords_account-
policy.html
Best Practice #6
- 15. Do not grant permissions to IAM users,
grant to IAM groups and assign users to groups
Managing user permissions is complex
Control permissions on groups
Assign users to groups
Best Practice #7
- 16. Find unused IAM accounts
Attack surface that doesn’t need to be there
User left organization? Is a default password still on the account?
Set your organizational policy on how long is unused or stale
Best Practice #8
- 17. Find accounts with permissions they don't actually need
Principle of least privileges
Use IAM Access Advisor tab
Revoke what you don’t need
Best Practice #9
- 18. Monitor All IAM Activity
AWS CloudTrail records each time the AWS API is called
• Currently supports most AWS services
• You have to enable it in every account/region
Conveniently everything in AWS goes through the API
• Even actions in the AWS Management Console go through the API
CloudTrail writes files into an Amazon S3 bucket
• Near real-time (every five minutes)
• Files are in JSON format
Best Practice #10
- 19. Leveraging AWS data – AWS CloudTrail, AWS Config,
Amazon VPC Flow Logs, CloudWatch logs, DBR, and
more metrics
Providing complete transparency – into 1 or across 1000s
of AWS accounts
Automating security, configuration, and activity monitoring
and alerting
Continuous monitoring of configurations, resources and
permissions
Active optimization, sophisticated allocation, and simplified
invoicing for enterprise cloud cost management
Monitoring, Reporting, & Optimization
Enterprise Security & Cost Management from CloudCheckr
- 20. Security & Compliance
Cost Management
Utilization & Performance
Availability
DevOps
Platform
Services
Infrastructure
450+ Best Practice Checks