SEC 2: How do you manage identities for people and machines?

There are two types of identities you need to manage when approaching operating secure AWS workloads. Understanding the type of identity you need to manage and grant access helps you ensure the right identities have access to the right resources under the right conditions. Human Identities: Your administrators, developers, operators, and end users require an identity to access your AWS environments and applications. These are members of your organization, or external users with whom you collaborate, and who interact with your AWS resources via a web browser, client application, or interactive command-line tools. Machine Identities: Your service applications, operational tools, and workloads require an identity to make requests to AWS services - for example, to read data. These identities include machines running in your AWS environment such as Amazon EC2 instances or AWS Lambda functions. You may also manage machine identities for external parties who need access. Additionally, you may also have machines outside of AWS that need access to your AWS environment.

Resources

Mastering identity at every layer of the cake
Managing user permissions at scale with AWS SSO
Best Practices for Managing, Retrieving, and Rotating Secrets at Scale
IAM Best Practices
The AWS Account Root User
Getting Started with AWS Secrets Manager
Temporary Security Credentials
Identity Providers and Federation
Security Partner Solutions: Access and Access Control

Best Practices:

• Use strong sign-in mechanisms: Enforce minimum password length, and educate users to avoid common or re-used passwords. Enforce multi-factor authentication (MFA) with software or hardware mechanisms to provide an additional layer.

• Use temporary credentials: Require identities to dynamically acquire temporary credentials. For workforce identities, use AWS Single Sign-On, or federation with IAM roles to access AWS accounts. For machine identities, require the use of IAM roles instead of long term access keys.

• Store and use secrets securely: For workforce and machine identities that require secrets such as passwords to third party applications, store them with automatic rotation using the latest industry standards in a specialized service.

• Rely on a centralized identity provider: For workforce identities, rely on an identity provider that enables you to manage identities in a centralized place. This enables you to create, manage, and revoke access from a single location making it easier to manage access. This reduces the requirement for multiple credentials and provides an opportunity to integrate with HR processes.

• Audit and rotate credentials periodically: When you cannot rely on temporary credentials and require long term credentials, audit credentials to ensure that the defined controls (for example, MFA) are enforced, rotated regularly, and have appropriate access level.

• Leverage user groups and attributes: Place users with common security requirements in groups defined by your identity provider, and put mechanisms in place to ensure that user attributes that may be used for access control (e.g., department or location) are correct and updated. Use these groups and attributes, rather than individual users, to control access. This allows you to manage access centrally by changing a user’s group membership or attributes once, rather than updating many individual policies when a user’s access needs change.

Improvement Plan

Use strong sign-in mechanisms

Create an IAM policy to enforce MFA sign-in: Create a customer-managed IAM policy that prohibits all IAM actions except for the ones that allow a user to assume roles, change their own credentials, and manage their MFA devices on the My Security Credentials page.
https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_users-self-manage-mfa-and-creds.html#tutorial_mfa_step1

Enable MFA in your identity provider: Enable MFA in the identity provider or single sign-on service, such as AWS Single Sign-On (SSO), that you use.
https://aws.amazon.com/iam/details/mfa/

Configure strong password policy: Configure a strong password policy in IAM and federated identity systems to help protect against brute-force attacks.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_passwords_account-policy.html

Rotate credentials regularly: Ensure administrators of your workload change their passwords and access keys (if used) regularly.
Rotate credentials regularly

Use temporary credentials

Implement least privilege policies: Assign access policies with least privilege to IAM groups and roles to reflect the user's role or function that you have defined.
Grant least privilege

Remove unnecessary permissions: Implement least privilege by removing permissions that are unnecessary.
Reducing policy scope by viewing user activity
View role access

Consider permissions boundaries: A permissions boundary is an advanced feature for using a managed policy that sets the maximum permissions that an identity-based policy can grant to an IAM entity. An entity's permissions boundary allows it to perform only the actions that are allowed by both its identity-based policies and its permissions boundaries.
Lab: IAM permissions boundaries delegating role creation

Consider resource tags for permissions: You can use tags to control access to your AWS resources that support tagging. You can also tag IAM users and roles to control what they can access.
Lab: IAM tag based access control for EC2
Attribute-based access control (ABAC)

Store and use secrets securely

Use AWS Secrets Manager: AWS Secrets Manager is an AWS service that makes it easier for you to manage secrets. Secrets can be database credentials, passwords, third-party API keys, and even arbitrary text.
AWS Secrets Manager

Rely on a centralized identity provider

Centralize administrative access: Create an IAM identity provider entity to establish a trust relationship between your AWS account and your identity provider (IdP). IAM supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0 (Security Assertion Markup Language 2.0).
Identity Providers and Federation

Centralize application access: Consider Amazon Cognito for centralizing application access. It lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.
Amazon Cognito

Remove old IAM users and groups: After you start using an identity provider (IdP), remove IAM users and groups that are no longer required.
Finding unused credentials
Deleting an IAM group

Audit and rotate credentials periodically

Regularly audit credentials: Use credential reports, and IAM Access Analyzer to audit IAM credentials and permissions.
IAM Access Analyzer
Getting credential report
Lab: Automated IAM user cleanup

Use Access Levels to Review IAM Permissions: To improve the security of your AWS account, regularly review and monitor each of your IAM policies. Make sure that your policies grant the least privilege that is needed to perform only the necessary actions.
Use access levels to review IAM permissions

Consider automating IAM resource creation and updates: AWS CloudFormation can be used to automate the deployment of IAM resources including roles and policies, to reduce human error, as the templates can be verified and version controlled.
Lab: Automated deployment of IAM groups and roles

Leverage user groups and attributes

If you are using AWS Single Sign-On (SSO), configure groups: AWS SSO provides you with the ability to configure groups of users, and assign groups the desired level of permission.
AWS Single Sign-On - Manage Identities

Learn about attribute-based access control (ABAC): Attribute-based access control (ABAC) is an authorization strategy that defines permissions based on attributes.
What Is ABAC for AWS?
Lab: IAM Tag Based Access Control for EC2