The AWS Approach to Identity and Access Management (IAM)
Mar 22, 2022
Security remains one of the biggest challenges ─ and concerns ─ in application development, as well as in data management and the use of cloud services. One way of alleviating both is through the use of identity access and management (IAM).
IAM is the discipline that enables the right individuals to access the right resources at the right times for the right reasons. The idea is that you restrict access to data, applications, and other IT resources to only the people who need them. And only to the specific elements they absolutely need. That way you can better protect your IT assets.
There are many IAM best practices that provide recommendations for what to do, and how. These include the use of multi-factor authentication and the enforcement of a strong password policy. These general tips will usually work fine regardless of the cloud service you use. To ensure optimal security in the AWS Cloud, however, AWS offers its own IAM service and resources.
AWS IAM
AWS IAM is one of the many Security, Identity, and Compliance services AWS offers for securing workloads and applications in the AWS Cloud. The free cloud service, offered as part of your AWS account, provides a highly granular approach for providing permissions and access control within your AWS environments. (AWS Security Token Service is another security service offered free with your AWS account.) You’re only charged only when you access other AWS services using your IAM users’ security credentials.
Specifically, AWS IAM enables you to control who can access your organization’s AWS services and resources and under what conditions. By default, access is denied. It’s only granted when permissions specify “Allow.”
Note: Not all AWS services support all IAM features. See AWS services that work with IAM.
The AWS IAM Process
AWS’s IAM process starts with a person or an application called a principal. Every principal has credentials under an AWS root account and must be signed into AWS to make requests.
A principal makes a request or takes an action involving an AWS resource. Every request includes details such as the resources involved, any policies related to the principal, and information like IP addresses and time codes.
AWS checks the principal’s authentication. It then compares the associated policies with the request to determine whether it has permission to perform the requested action on the resource. If there are multiple associated with a principal, they all must allow the request or it will be denied.
It gets processed once the request is authorized. This usually means performing a desired action with a specified resource, such as getting data from a storage instance.
User Access Control Features
While AWS IAM entails numerous components and processes, the following are some of its main features for controlling user access:
- The use of permissions for fine-grained access control. This enables you to attach a policy that specifies the type of access, the actions that can be performed, and the resources on which the actions can be performed. You can grant different permissions to different people for different resources.
- The use of IAM roles allows you to provide temporary access to users or services that normally don’t have access to your AWS resources.
- The IAM Access Analyzer is a feature that helps you find potential security risks in your AWS cloud environment by analyzing the resource-based policies associated with the cloud resources within your “zone of trust” (your account or organization).
- AWS Organizations is an AWS account management service that lets you use service control policies (SCPs) to apply permission guardrails at the AWS organization, organizational unit, or account level. The guardrails apply to all users and roles within the covered accounts, but you still must attach identity-based or resource-based policies to principals or resources in your AWS accounts to grant permissions.
- Attribute-based access control (ABAC) is an authorization strategy for creating fine-grained permissions based on user attributes, such as department or job role. This helps reduce the number of distinct permissions required to create fine-grained controls in your AWS account.
- Multi-factor authentication (MFA) requires you or your users to provide not only a password or access key to work with your account but also a code from a specially configured device.
- Identity information for assurance, which applies if you use AWS CloudTrail. You can receive log records that include information about those who made requests for resources in your account based on IAM identities.
AWS IAM also supports the processing, storage, and transmission of credit card data by a merchant or service provider. And it’s compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
AWS IAM Best Practices
Both AWS and ClearScale recommend several IAM best practices. Some are specific to AWS resources, but many are simply smart security measures. Among them:
- Never use or share root credentials under any circumstances, even for administrative activities.
- Use the principle of least privilege, giving users only the minimum access rights to do their job, and no more.
- Apply conditions to IAM policies that place additional stipulations on resource access. This adds another layer of security for sensitive requests.
- Apply IAM policies to groups rather than individuals whenever possible. It causes fewer oversights that can compromise security. It also makes it easier to move users as their jobs change.
- Use MFA for better security and require an additional credential based on a physical item that the user possesses.
- Implement a custom password policy that can force stronger password selection. This entails longer strings with mixes of case, numerals, and symbols. And require regular password changes.
- Use unique access keys and encrypt all keys embedded in an application. And never use the same key for more than one application.
- Locate and remove outdated IAM credentials.
- Review and update IAM permissions and policies on a regular basis. This helps ensure that your organization’s security posture meets business and compliance demands.
- Monitor your AWS account by taking advantage of logging features in AWS services, such as AWS Config, Amazon CloudFront, AWS CloudTrail, Amazon CloudWatch, and Amazon Simple Storage Service.
The ClearScale Approach
Regardless of the project or assignment, security is always a priority at ClearScale. Our team follows the latest IT security best practices put forth by AWS ─ including for IAM. And we have extensive experience implementing the full spectrum of AWS security services. That includes AWS Cognito, AWS IAM, AWS Config, AWS GuardDuty, AWS Security Hub, AWS Firewall Manager, AWS Inspector, and many others.
ClearScale also provides security assessments, SecOps, and 24/7 monitoring through managed services to ensure all IT assets remain available and secure. Our team also helps organizations comply with PCI-DSS, HIPAA, ISO 27000, SOC reports, FedRAMP, and other regulatory requirements.
To learn about some of the specific work we’ve done using AWS cloud security services, view our case studies.
Then find out how ClearScale can help you leverage AWS services like IAM to ensure the security of your cloud environment and applications. Contact us today:
Call us at 1-800-591-0442
Send us an email at sales@clearscale.com
Fill out a Contact Form
Read our Customer Case Studies