IAM Security Checklist For AWS

IAM Security Checklist For AWS by Tim Layton

Identity and access management (IAM) is the new perimeter in our cloud-based world. IAM is a way to tell who a user is and what they are allowed to do, so it is critical that IAM is implemented correctly and securely.

IAM is a means of managing digital identities and the privileges associated with each identity making IAM the new perimeter in cloud computing.

In cloud computing, data is accessed over the Internet and stored remotely. One of the key benefits of cloud computing is broad network access from any device which is also a security concern and challenge for enterprise environments. COVID has accelerated how we work and how organizations function and cloud computing is at the core of our new remote-first world.

Identity is radically important for controlling access to company applications, resources, and assets, not the network perimeter. The traditional network perimeter has effectively vanished with cloud computing.

The attack surface has radically changed with cloud computing because cyber criminals no longer need to compromise an organizations corporate firewall and perimeter defenses. Because authorized users frequently access company resources over web browsers, attackers are using very basic attack vectors that will help them gain employee login credentials so they can assume the identity of an authorized user.

IAM helps prevent identity based attacks and data breaches and you should review the checklist below to make sure your AWS environment is following these best practices. You should also review the AWS IAM overview and use cases provided by Amazon.

Get My Free Cloud Security Risk Management Journal

IAM Security Best Practices Checklist For AWS

  • Lock away the AWS root user access keys
  • Create individual IAM users
  • Use AWS defined policies to assign permissions whenever possible Ø Use groups to assign permissions to IAM users
  • Grant least privilege
  • Use access levels to review IAM permissions
  • Configure a strong password policy for users
  • Enable MFA
  • Use roles for applications that run on AWS EC2 instances
  • Delegate by using roles instead of sharing credentials
  • Rotate credentials regularly
  • Remove unnecessary credentials
  • Use policy conditions for extra security
  • Monitor activity in your AWS account

I strongly recommend reviewing the AWS IAM Best Practices Guide provided by Amazon.

Tim Layton specializes in demystifying the complexities and technical jargon associated with cloud computing security and risk management for business stakeholders across the enterprise. Tim is a cloud security thought leader defining actionable and defensible strategies to help enterprise stakeholders make risk-based decisions and prioritize investments in the new digital frontier.

Stay Connected With Tim Layton

LinkedIn: www.Linkedin.com/in/TimLaytonCyber

Website: http://CloudSecurityLaunchPad.com

Get My Free Cloud Security Risk Management Journal


Threat: Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service. (NIST 800–30)

Threat: a potential cause of an unwanted incident that can result in harm to a system or organization. (ISO 27001)

Vulnerability: Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source. (NIST 800–30)

Vulnerability: weakness of an asset or control that can be exploited by one or more threats. (ISO 27001)

Likelihood: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability or a set of vulnerabilities. (NIST 800–30)

Likelihood: chance of something happening. (ISO 27001)

Risk: A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. (NIST 800–30)

Risk: effect of uncertainty on objectives. (ISO 27001)

Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system to protect the confidentiality, integrity, and availability of the system and its information. (NIST 800–30)

Compensating Security Control: A management, operational, and/or technical control (i.e., safeguard or countermeasure) employed by an organization in lieu of a recommended security control in the low, moderate, or high baselines that provides equivalent or comparable protection for an information system. (NIST 800–30)

Impact Level: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability. (NIST 800–30)

Residual Risk: A portion of risk remaining after security measures have been applied. (NIST 800–30)

Security Posture: The security status of an enterprise’s networks, information, and systems based on information assurance resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes. (NIST 800–30)

Get My Free Cloud Security Risk Management Journal

Tim Layton

Tim Layton

Get Tim Layton's Free Cloud Security Journal so you can remain current with the latest cloud security trends and updates. Tim is a cloud security thought leader defining actionable and defensible strategies to help organization's make risk-based decisions and prioritize investments.

Recommended Articles