Following best business practices in an organization is vital if a company wants to have a consistent approach to how they operate; this is just as important for a small organization as it is for larger ones. When AWS identity and access management best practices aren’t followed, an organization can struggle to do everyday tasks because everything is an exception, not a rule.
A client of ours in the team collaborative applications space learned this the hard way when one of their IT managers left the organization under less-than-ideal circumstances. During a subsequent investigation, our client discovered that multiple AWS accounts and logins had been created to house production data and development processes that were key to their organization being able to function. Unfortunately, privileges and permissions were stored in the AWS account of the employee that had left.
AWS Identity and Access Management Best Practices
When ClearScale was engaged by this client we immediately started working on creating individual and group accounts and privileges based on tasks each department performed. We thoroughly followed AWS identity and access management (IAM) policies to alleviate the immediate concern that the former employee might hold vital company data hostage. While reviewing various user accounts, it became clear to us that more than just an account consolidation was needed, but also many of the tools and processes they were using could be streamlined to improve AWS security and make their deployment efforts more efficient.
As an AWS Premier Consulting Partner, ClearScale began by creating a root AWS account and identified databases and other resources in place under other AWS accounts the company-owned and then migrated them to the new umbrella account. Before we even began the process, we worked with our client to properly set up IAM users, roles, groups, policies, privileges, and monitoring features moving forward.
Once the AWS account had been set up and the DNS had been migrated to the new account, the databases, files, and processes were prepared and then transferred over. After deploying the new files into a secured Virtual Private Cloud, we performed extensive testing to ensure that the transfer occurred as expected and that it would continue to operate in this new environment with minimal impact to the business. At the same time, we implemented more robust authorization and authentication protocols in IAM.
ClearScale recommends that anyone using AWS as part of their daily operations adhere to these IAM best practices:
- Immediately remove former employee AWS credentials
- Don’t use your root account credentials to access AWS
- Lock your root access keys
- Create individual IAM users
- Set up activity monitoring
- Assign roles to users vs. shared credentials
- Create groups (development, admin, etc.) and assign users to them
- Grant privileges for specific tasks only
- Enforce a strong password policy and required passwords to change regularly
- Enable multi-factor authentication for privileged users
- Use policy conditions for extra security
Maintaining business continuity, regardless of cause, is the foundation to any successful business endeavor. In the case of our client, not only did they not follow the AWS identity and access management best practices by allowing a single individual the ability to maintain control over vital system processes, they put themselves further at risk by not having an effective disaster recovery plan.
ClearScale encourages organizations to remove the potential risk to their operations by not sharing root credentials with employees and not using their root AWS account to access resources. Distributing knowledge and access to key systems to multiple groups or teams inside of the company and only assigning access to perform specific tasks is a smarter and safer approach.
Instituting a solid Identity and Access Management plan is necessary and will ensure that even if team members leave your business operations are not impacted.
AWS IAM Resources
- Recommended best practices for AWS Identity and Access Management (IAM)
- AWS AIM best practices video presentation
Disaster Recovery Plan
ClearScale also took the time to set up a roll-back or AWS disaster recovery plan using a hot-standby environment in a local Availability Zone. Should anything ever happen to the client’s active databases located in the AWS Cloud, the disaster recovery process would immediately swap over to the hot-standby environment with minimal disruption.
Solution Architecture Design
Once these key access management pieces were in place, we reviewed the client’s current solution architecture to see if there were improvements there we could make. ClearScale leveraged AWS CloudFormation to automate the infrastructure deployment, specifically the Virtual Private Cloud (VPC) — an isolated network environment. We used AWS Elastic Beanstalk to automate their web application deployments, AWS CloudWatch to automate the MongoDB scheduled backups, and CloudFront to distribute the static web content. We further tested this new implementation end-to-end from the data we had transferred over to the new automated deployment solutions we had implemented for our client. We worked closely with them to come up with a plan to cut over to the new solution without negatively impacting their daily operations.
Each client we work with has unique challenges they feel are insurmountable before they come to us. Because ClearScale has extensive experience in a variety of different AWS services and cloud solutions, we always have ideas on how to bring our experience to mitigate your organization’s immediate problems. Whether building solutions and processes to supplement existing challenges your company encounters, or designing and implementing a brand new solution to meet your growing business needs, ClearScale is dedicated to addressing every one of our client’s needs.