SEC 2: How do you manage identities for people and machines?

There are two types of identities you need to manage when approaching operating secure AWS workloads. Understanding the type of identity you need to manage and grant access helps you ensure the right identities have access to the right resources under the right conditions. Human Identities: Your administrators, developers, operators, and end users require an identity to access your AWS environments and applications. These are members of your organization, or external users with whom you collaborate, and who interact with your AWS resources via a web browser, client application, or interactive command-line tools. Machine Identities: Your service applications, operational tools, and workloads require an identity to make requests to AWS services - for example, to read data. These identities include machines running in your AWS environment such as Amazon EC2 instances or AWS Lambda functions. You may also manage machine identities for external parties who need access. Additionally, you may also have machines outside of AWS that need access to your AWS environment.

Resources

Mastering identity at every layer of the cake
Managing user permissions at scale with AWS SSO
Best Practices for Managing, Retrieving, and Rotating Secrets at Scale
IAM Best Practices
The AWS Account Root User
Getting Started with AWS Secrets Manager
Temporary Security Credentials
Identity Providers and Federation
Security Partner Solutions: Access and Access Control

Best Practices:

Improvement Plan

Use strong sign-in mechanisms

  • Create an IAM policy to enforce MFA sign-in: Create a customer-managed IAM policy that prohibits all IAM actions except for the ones that allow a user to assume roles, change their own credentials, and manage their MFA devices on the My Security Credentials page.
    https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1
  • Enable MFA in your identity provider: Enable MFA in the identity provider or single sign-on service, such as AWS Single Sign-On (SSO), that you use.
    https://aws.amazon.com/iam/details/mfa/
  • Configure strong password policy: Configure a strong password policy in IAM and federated identity systems to help protect against brute-force attacks.
    http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html
  • Rotate credentials regularly: Ensure administrators of your workload change their passwords and access keys (if used) regularly.
    Rotate credentials regularly
  • Use temporary credentials

  • Implement least privilege policies: Assign access policies with least privilege to IAM groups and roles to reflect the user's role or function that you have defined.
    Grant least privilege
  • Remove unnecessary permissions: Implement least privilege by removing permissions that are unnecessary.
    Reducing policy scope by viewing user activity
    View role access
  • Consider permissions boundaries: A permissions boundary is an advanced feature for using a managed policy that sets the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
    Lab: IAM permissions boundaries delegating role creation
  • Consider resource tags for permissions: You can use tags to control access to your AWS resources that support tagging. You can also tag IAM users and roles to control what they can access.
    Lab: IAM tag based access control for EC2
    Attribute-based access control (ABAC)
  • Store and use secrets securely

  • Use AWS Secrets Manager: AWS Secrets Manager is an AWS service that makes it easier for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text.
    AWS Secrets Manager
  • Rely on a centralized identity provider

  • Centralize administrative access: Create an IAM identity provider entity to establish a trust relationship between your AWS account and your identity provider (IdP). IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0).
    Identity Providers and Federation
  • Centralize application access: Consider Amazon Cognito for centralizing application access. It lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
    Amazon Cognito
  • Remove old IAM users and groups: After you start using an identity provider (IdP), remove IAM users and groups that are no longer required.
    Finding unused credentials
    Deleting an IAM group
  • Audit and rotate credentials periodically

  • Regularly audit credentials: Use credential reports, and IAM Access Analyzer to audit IAM credentials and permissions.
    IAM Access Analyzer
    Getting credential report
    Lab: Automated IAM user cleanup
  • Use Access Levels to Review IAM Permissions: To improve the security of your AWS account, regularly review and monitor each of your IAM policies. Make sure that your policies grant the least privilege that is needed to perform only the necessary actions.
    Use access levels to review IAM permissions
  • Consider automating IAM resource creation and updates: AWS CloudFormation can be used to automate the deployment of IAM resources including roles and policies, to reduce human error, as the templates can be verified and version controlled.
    Lab: Automated deployment of IAM groups and roles
  • Leverage user groups and attributes

  • If you are using AWS Single Sign-On (SSO), configure groups: AWS SSO provides you with the ability to configure groups of users, and assign groups the desired level of permission.
    AWS Single Sign-On - Manage Identities
  • Learn about attribute-based access control (ABAC): Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes.
    What Is ABAC for AWS?
    Lab: IAM Tag Based Access Control for EC2