SEC 1: How do you manage credentials and authentication?
Credentials and authentication mechanisms include passwords, tokens, and keys that grant access directly or indirectly in your workload. Protect credentials with appropriate mechanisms to help reduce the risk of accidental or malicious use.
Define identity and access management requirements: Identity and access management configurations need to be defined to meet your organizational, legal, and compliance requirements.
Automate enforcement of access controls: Enforce access controls through automated tools and by reporting irregularities. This helps you maintain your credential management requirements.
Integrate with centralized federation provider: Integrate with a federated identity provider or directory service to authenticate all users in a centralized place. This reduces the requirement for multiple credentials and reduces management complexity.
Enforce password requirements: Enforce policies for minimum length, complexity, and reuse of passwords to help protect against brute force and other password attacks.
Rotate credentials regularly: Rotate credentials regularly to help reduce the risk of old credentials being used by unauthorized systems or users.
Audit credentials periodically: Audit credentials to ensure the defined controls (for example, MFA) are enforced, rotated regularly, and have appropriate access level.
Define credential and authentication management requirements
Define requirements that will help you manage credentials and authentication in your workload.
- Identify compliance requirements: Discover the organizational, legal, and compliance requirements your workload needs to comply with.
- Identify AWS compliance resources: Identify resources that AWS has available to assist.
AWS cloud compliance
- Define credential and authentication policies: Create a policy for minimum password requirements, rotation, auditing, and other controls.
Protect AWS accounts
- Enable MFA for root user
Enable MFA on the AWS account root user
- Configure strong password policy: Configure a strong password policy in IAM and federated identity systems to help protect against brute-force attacks.
Setting an account password policy for IAM users
- Periodically change root user password
Changing the AWS account root user password
- Associate AWS account email address recipients are trusted with secure distribution
To edit your AWS user name, password, or email address
- Associate AWS account alternate contacts are completed with trusted contacts
- Associate AWS account phone number for account to trusted contacts
To edit your contact information
- Limit use of AWS root user
The AWS account root user
Use the root user to create initial IAM admin group and one or more users
Use AWS Organizations with IAM role to access member accounts
AWS tasks that require AWS account root user
- Restrict access to newly added regions
Setting permissions to enable accounts for upcoming AWS Regions
- Secure location for physical credentials: Use a secure location such as a safe or lockable box for physical credentials, including MFA tokens.
- Plan alternative access methods: Consider how you would gain access to the account if the credentials or MFA device are lost or unavailable.
What if an MFA device is lost or stops working?
- Enable notification when AWS account root user is used
How to receive notifications when your AWS account's root access keys are used
- Regularly audit credentials: Use credential report and access advisor, or automated mechanism to audit IAM credentials
Getting credential report
Reducing policy scope by viewing user activity
Use services and tools
- Use AWS Organizations: Use AWS Organizations to centrally enforce policy-based management for multiple AWS accounts.
Getting started with AWS Organizations
How to use service control policies to set permission guardrails across accounts in your AWS Organization
- Consider AWS Landing Zone: AWS Landing Zone is a solution that helps customers more quickly set up a secure,
multi-account AWS environment based on AWS best practices.
AWS Landing Zone
- Consider a federated identity provider: Consider using either an identity provider, or built-in IAM users with groups and roles for human access.
Identity providers and federation
Access and control partner solutions
- Consider CloudFormation StackSets: CloudFormation StackSets can be used to deploy resources including IAM policies, roles, and groups into different AWS accounts and regions from a template.
Use CloudFormation StackSets