SEC 3: How do you control programmatic access?
Control programmatic or automated access with appropriately defined, limited, and segregated access to help reduce the risk of unauthorized access. Programmatic access includes access that is internal to your workload, and access to AWS related resources.
Define programmatic access requirements: Clearly define access requirements for automated or programmatic access to reduce the risks from unnecessary privileges.
Grant least privileges: Grant automated or programmatic access only the minimum privileges you have defined to reduce the risk of unauthorized access.
Automate credential management: Automate credential management to enforce minimum privileges and disable unused credentials. Automate auditing, reporting, and management of dynamic authentication.
Allocate unique credentials for each component: Credentials are not shared between any component to help segregation and traceability. For example, use different IAM roles for AWS Lambda functions and EC2 instances.
Implement dynamic authentication: Credentials are dynamically acquired and frequently rotated by a service or system.
Define programmatic identity and access management requirements
Define requirements that will help you control programmatic or automated access with appropriately defined, limited, and segregated access.
- Identify compliance requirements: Discover the organizational, legal, and compliance requirements your workload needs to comply with.
- Identify AWS compliance resources: Identify resources that AWS has available to assist.
AWS cloud compliance
- Define appropriate functional levels for the application, tool, or service: Different IAM roles for each function allow granular access policies to be applied for each role.
Configure programmatic access
- Configure IAM roles in AWS services: Services such as Amazon EC2 and AWS Lambda use roles to grant access by providing credentials dynamically.
Using an IAM role to grant permissions to applications running on Amazon EC2 instances
Create AWS Lambda execution role
- Assign access policies with least privilege to IAM roles
Grant least privileges
- Enable external IDs: Use external IDs for granting access to your AWS resources from other AWS accounts
you do not own, such as third-party accounts.
How to use an external ID when granting access to your AWS resources to a third party
- Define access lifecycles for each function: Define when the role should be reviewed or expire based on the requirements.
- Implement dynamic credentials using AWS Security Token Service
Temporary security credentials
- Use AWS Secrets Manager: AWS Secrets Manager is an AWS service that makes it easier for you to manage secrets.
Secrets can be database credentials, passwords, third-party API keys, and even arbitrary
AWS Secrets Manager
Remove insecure configurations
After you configure best practices, remove unused insecure configuration items.
- Remove shared or stored credentials: These credentials include access keys, secret keys, console, and identity provider
Creating, modifying, and viewing access keys (console)
- Remove unnecessary credentials: Remove IAM user credentials (that is, passwords and access keys) that are not needed; for example,
if a user was previously used for programmatic access and was replaced with AWS Security Token Service.
Remove unnecessary credentials
- Remove unnecessary permissions: Implement least privilege by removing IAM user and role permissions that are unnecessary.
Reducing policy scope by viewing user activity