IAM Best Practices for Cloud

  1. IAM is first line of defence: Identity and Access management is your first line of defence to secure your cloud. Keep your cloud resources private or provide restricted access on need basis and for limited duration.
  2. Delete root account keys: Root account user has access to all cloud resources by default, delete keys for root account so they cannot be used, knowingly or unknowingly. Create IAM identities such as users and roles for carrying out work in your cloud account instead of using root user credentials.
  3. Do not share credentials: Cloud provide multiple ways for your users to interact with resources, so you would never have a requirement to share credentials. Create individual users for all access requirement with necessary credentials and never share credentials with other users.
  4. Use managed policies: Cloud platforms provide comprehensive sets of managed policies that cover access requirement for the most common scenarios along with policies for the job functions as well. AWS also provides you policies aligned with job functions. These managed policies are updated as and when required so you don’t have to worry about your policies getting outdated when new services or functionalities are introduced for a cloud platform.
  5. Use groups to manage users: Groups are an excellent way to manage permissions for your users and individual IAM users as well. Always add users to groups and assign policies directly to groups instead of assigning permissions to individual IAM users. Whenever there is a movement required for an individual user, you can simply move them to appropriate group.
  6. Follow least privilege principle: Whenever you grant permissions, follow standard security advice of Least Privilege, that is, if a user does not need to interact with a resource or a service, do not grant access to that resource. Use IAM Access Advisor feature periodically to verify if all permissions assigned to a user are used frequently. If you find that a permission is used rarely or not used at all, revoke it after confirming it is not required to carry on regular tasks by your IAM user.
  7. Review IAM permissions: Review permissions assigned for each IAM user periodically. Check their access levels for all resources they can interact with. Access level for a policy is categorized as list, read, write, and permissions Management.
  8. Enforce strong passwords: Configure your account password policy to enforce strong passwords for all your users, including periodic password rotation, avoiding reuse of old passwords, minimum length, using alphanumeric characters etc.
  9. Enable Multi Factor Authentication (MFA): Enable MFA for all IAM users. This will provide an additional layer of security for your cloud resources in case credentials are compromised for these users.
  10. Use roles for applications running on servers: For all the applications that run on servers on cloud, use roles for providing access to other cloud services. Roles are managed by cloud platforms and credentials for roles are rotated multiple times in a day.
  11. Use roles for delegation: Whenever you have a requirement for delegation such as allowing cross account access, use roles instead of sharing credentials. In general, it is recommended to use roles instead of using individual IAM users.
  12. Rotate credentials: Ensure that all credentials in your cloud account are rotated periodically. These credentials include passwords, access keys, key pairs, and so on. This will ensure that you will limit the abuse of your compromised credentials. If you find that credentials are not required for a user, remove them.
  13. Use policy condition: For all the policies that allow access, use policy condition element as much as possible. For example: if you know all the IP address that should be accessing your cloud resource, add them to the policy condition. Similarly, if you know that you want to allow access only for a limited duration, like for 4 hours, add that duration to policy condition. For high privilege actions, require MFA by adding it to policy condition.
  14. Monitor account activity: Monitor all activities in your cloud account such as how many requests were made? how many were allowed and how many were denied. Also monitor what actions were performed on your cloud resources and by whom. You can identify suspicious activity from account activity logs and take the necessary actions based on your analysis.