-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)

The fundamental Cloud Security concepts were covered in documents 1-8 and can be found here.

This document addresses another important aspect of cloud security – Identity Management. As the concepts and terms might be different between cloud providers, this document concentrates on AWS and provides an overview of some of the key security services and resources it provides to cloud architects.

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

AWS IAM

Identities in AWS are managed using a service called AWS IAM (Identity and Access Management).

This service is available globally across all AWS regions, so that each user/group/policy/role are configured once and applied from any region around the world.

Root user

This is the initial administrator identity inside an AWS account. This account has full privileges over the entire AWS account, including the ability to close/disable the entire AWS account.

It is strongly recommended to create an additional IAM account with full admin privileges and protect the Root user credentials with a strong password and MFA (Multi Factor authentication).

IAM Role

An identity with specific permissions and policies. Role can be assigned to a user, group or even EC2 machine.

Policy

A permission document in JSON format that defines what an identity is allowed or denied from performing.

MFA (Multi-Factor Authentication)

AWS IAM support the ability to configure strong authentication using either virtual or software device (using Google Authenticator) or using a hardware OTP (One time password generator) device.

For best practice, it is strongly recommended to enable MFA for any privileged identity inside an AWS account.

Access Keys

AWS allows connecting to resources using either SDK (programmatic access) or using command line tools.

In order to achieve this goal, AWS allows access using a combination of “access key” and “secret access key” as credentials.

For best practice, it is strongly recommended to remove unused access keys and rotate active access keys on a schedule interval (according to the organization policy).

References:

AWS Introduction to IAM
https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

IAM Best Practices
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Best Practices for Managing AWS Access Keys
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html

IAM Business Use Cases
https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UseCases.html

Best practices for using AWS access keys
https://www.iucc.ac.il/best-practices-for-using-aws-access-keys/

13 AWS IAM Best Practices for Security and Compliance
https://www.skyhighnetworks.com/cloud-security-blog/13-aws-iam-best-practices-for-security-and-compliance/

5 Advanced IAM Best Practices
https://cloudcheckr.com/2017/12/top-5-iam-best-practices/

Best Practices for Using AWS Identity and Access Management (IAM) Roles
https://www.slideshare.net/AmazonWebServices/best-practices-for-using-aws-identity-and-access-management-iam-roles-aws-online-tech-talks