Get Started Now

7 AWS Access Management Basics: A Refresher

Storing data in the cloud is much safer than storing it locally, but it has to be done right. The wrong settings can leave your data exposed, and without notice, your stored information is available to the world.

As one of the leaders in the cloud storage space, Amazon Web Services holds enough data within its walls to potentially leak lots of sensitive data belonging to thousands of organizations.

But with this, they also have extensive documentation pointing to their best practices for Identity and Access Management (IAM). All these resources help your employees be as safe as possible accessing the troves of data they’re working with.

There’s a delicate balance to hold between keeping your data safe while still making it available to the people who need it. To give you and your team a refresher, here are seven crucial access management pointers.

Use the “Least Privilege for Access” Rule

It’s common for administrators to take the easy route and grant a long list of privileges to a user, resulting in access to everything. That user has more privileges than they should have — and access to resources that don’t involve their job.

The entirety of your team doesn’t need blanket access permissions to every resource. For instance, your DevOps team likely doesn’t need full access and editing privileges on your marketing team’s campaign schedule. So instead, you should provide the least amount of privileges needed for productivity.

Organize Users into Groups

When you’ve got hundreds of users to manage, giving them individual permissions user-by-user is time-consuming. It can be very disrupting to your workflow. Plus, you’ll have to track user permissions as people move into different roles in the organization.

You can avoid getting sucked into disarray by creating user groups. Users with similar permission requirements go into the same group. When HR onboards a new user, place the new account into a user group and you’ve taken care of permissions needed with one workflow step. Rather than the 10-12 steps needed to allow necessary permissions one by one.

Create Unique IAM Users

Like the main administrator account, the AWS root user should only be accessible by a limited number of trusted users. Others can have high-level access, but it must be done with a separate user group and accounts assigned the right permissions. Because you can’t remove root access, you must change the password when a user leaves should this same user have the root password.

Changing a company-wide password can lock a lot of members out of crucial access. But you can limit the need to change it if only a few people have the root password.

Enforce a Strong Password Policy

Without a password policy, users can make their password “password” and put their account at risk. By gaining access to a company account, an attacker can steal data within minutes. Even if you have the right intrusion detection systems in place, these systems don’t detect an intruder when a legitimate user account accesses the network.

Some red flags might alert administrators, but by the time the account is quarantined and data locked down, the attacker can run off with sensitive information leaving your company vulnerable to leaks and legal repercussions. With a strong password policy, you can eliminate poor passwords for accounts that have access to your AWS resources.

Passwords should be at least six characters (some organizations prefer eight-character passwords) and require upper and lowercase letters, numbers, and special characters. Along with creating requirements for password length and complexity, you should also mandate password changes every few months.

Enable Multi-factor Authentication

Organizations should assume that some of their cloud service user credentials are already compromised, as employees tend to reuse passwords across services. Enabling multi-factor authentication (MFA) should be a requirement for your team — not just for AWS but any cloud service that your team is using. This allows you to implement extra security measures for your more privileged users. Examples of multifactor include token authentication, where a single-use code is generated on a trusted device such as a cell phone, or biometric-based authentication using either fingerprint scanners or facial recognition software to verify a user’s identity.

Configure AWS with a single sign-on provider such as Okta, Ping Identity, or Azure Active Directory to ease the friction of MFA. This will standardize authentication factors across all the applications your team is using.

Review Your IAM Policy and Permissions

It’s important to regularly review your organization’s AWS IAM policies to ensure they’re granting least privileges. The policy summary is a great place to start an audit of all the IAM policies your team follows. AWS provides four levels of access for each of its services: List, read, write, and permissions management.

The write and permissions management access levels should be distributed with extreme caution. Write permits users to create, delete, or modify resources. Permissions management allows users to grant or restrict resource permissions for the entire organization and its AWS users. For this reason, permissions management should be granted to as few team members as possible.

Remove Accounts and Credentials Not in Use

Scrubbing out unused accounts and permissions is also necessary to protect your data. Leaving unused credentials active on AWS resources provides a backdoor for attackers, especially if you don’t check them.

Anytime a user leaves the organization, your team should deactivate their account. Deleting the account may cause issues with the reassignment of resources. However, deactivating the account allows you to distribute their resources without giving the former employee login access.

All these basic suggestions can increase the security of your AWS resources and protect data in the cloud. AWS is one of the most secure cloud platforms to host your data. But you must be able to control user access from your organization to keep your data completely safe.


Not a CBT Nuggets subscriber? Start your free week now.

CBT Nuggets has everything you need to learn new IT skills and advance your career — unlimited video training and Practice Exams, Virtual Labs, validated learning with in-video Quizzes, Accountability Coaching, and access to our exclusive community of IT professionals.

Learn more about the CBT Nuggets Learning Experience.


Comments are closed.