8 Best Practices of Identity and Access Management (IAM)

What is Identity Access Management (IAM)?

Identity Access Management is an additional layer of security implemented on the Business layer. It helps your organization to control which files/data/resources are accessible to whom. For instance, if your department has many roles, you can ensure the right person has access to the right resource. Importantly, IAM helps organizations secure data from external thefts.

This blog post explores types of IAM, best practices for IAM implementation, and its benefits to organizations.

Understanding Identity and Access Management

Identity and access management is a service provided by AWS to control access to the various AWS resources. One can use IAM to give access and permissions to your resources. As you create your AWS account for the first time, you sign in with a single sign-in as a root user that has access to all the help. The main moto of the IAM is to ensure that only authenticated users are granted access to your environments.

Types of IAM

We have three methods to verify Identity and Access Management:

1. Centralized IAM which functions by having all the control at a centralized physical or virtual location
2. Decentralized IAM functions based on the decisions taken by various regional centers
3. Federal IAM functions by involving all the participating organizations and agreeing upon a set of standards and procedures to be followed.

Benefits of IAM

• Prevents Spread of malware/virus
• Helps to Monitor Employee Productivity
• Provide access to potential clients on the company portal
• Enhances user-experience

Access and user are two basic concepts that we should understand when implementing IAM. Here is a brief description of the types of Identities you can create.

Creating Identities

IAM can be put into action by first creating Identities. You are allowed to create three different identities in AWS:

1. USERS
2. GROUPS
3. ROLES

USERS: It is an entity created to provision interaction with AWS. The primary use for IAM users is to ensure you can sign in to the AWS Management Console to carry out interactive tasks and to make programmatic requests to AWS services using the API or CLI.

IAM user is assigned with a username and password to sign in to the AWS console. Whenever we create an IAM user, we give a few permissions and policies applicable to that user.

GROUPS: It is a group of IAM users; this is used to assign similar permissions for individuals working on an identical task or project.

Ex: employees working on the same project need similar permissions. Groups ensure smooth operations during a project. We can use these IAM groups for attaching new policies which will be applicable for everyone in the group.

ROLES: This role is similar to a user but doesn’t have any credentials associated with it. Instead, this role of IAM has a group of policies with permissions to many resources at a time. AWS relies on details passed by the identity provider to determine which function is mapped to the federated user.

To create the above identities, one should follow the best practices; here are the eight best practices of IAM compiled for you:

Best Practices for IAM implementation

1. Create individual IAM users: Never use your AWS account root user credentials to access AWS, and don’t give your credentials to anyone else. Instead, create individual users to whoever wanted access to AWS. For example, create a user for yourself, give the administrator permission, and use it for your work. Creating a unique IAM user can provide an individual with security credentials and grant and revoke permissions depending on the requirement and use. AWS recommends changing the password as soon as the user receives the credentials.
2. Use user groups to assign permissions to users: Instead of giving permissions to individuals, we can grant permissions to a group; users who need similar permission will be assigned. The permissions which are added and revoked to that group apply to everyone in that group.
3. Grant least privilege: Grant the permissions only required for their use and restricted remaining. At first, give the necessary permissions and later add on depending on requests or requirements.
4. Do not share the access key: Access keys provide programmatic access to AWS. Do not use the access key in the code and share it with the team. If an access key is needed for applications, then give a role that will take temporary credentials from AWS.
5. Configure a strong password policy for users: We should create a custom password policy for users to change their passwords periodically and set a strong password. You have to upgrade from the AWS default password policy to define password requirements, such as minimum length.
6. Employ roles for applications that run on Amazon EC2:Generally, applications that run on Amazon EC2 need credentials to access other AWS resources. To provide these credentials, we use IAM roles. IAM roles have a set of permissions that need to be given.
7. Validate your Policies: Perform policy validation using IAM Access Analyzer during the creation and edit of the JSON policies. It is recommended that you review and validate all of your existing policies. It generates security warnings when a statement in your policy allows access, which we consider overly permissive.
8. Use roles to delegate permissions: Please don’t share your credentials with other users to access your account from their account. Instead, use roles to delegate permissions to the users and also to which users are applicable.

Conclusion

We should always be careful on accessing the resources on your AWS account, So IAM will help you have complete access to your account to what and who should use resources. Importantly, IAM allows organizations to have a secure and hassle-free workflow. We hope now you have a better understanding of creating identities, access, and the best practices to be followed while implementing IAM. You can read more about IAM Authorization Hierarchy in this blog.

About CloudThat