The document provides an overview of AWS Identity and Access Management (IAM) best practices and common use cases. It discusses 10 best practices for IAM including creating individual users, configuring strong password policies, rotating security credentials regularly, enabling MFA for privileged users, managing permissions with groups, granting least privilege, using IAM roles to share access, using IAM roles for EC2 instances, enabling AWS CloudTrail for auditing, and reducing use of root credentials. It also covers using tag-based access control and managing multiple AWS accounts.

1. IAM Best Practices to Live By
Huy Huynh
AWS Solution Architect

2. What to Expect from the Session
We will look at:
• What is IAM
• Best practices – to help you get started
• Common use cases – cover the building blocks

3. AWS Identity and Access Management (IAM)
Enables you to control who can do what in your AWS account
Users, groups, roles, and permissions
Control
– Centralized
– Fine-grained - APIs, resources, and AWS Management Console
Security
– Secure (deny) by default
– Multiple users, individual security credentials and permissions

4. A username for each user
Groups to manage multiple users
Centralised access control
Optional provisions:
• Password for console access
• Policies to control access
• Use Access Key to sign API calls
• Multifactor Authentication
Familiar IAM

5. Access Key
CLI/API access
Used to sign requests without sending the Secret on the network
Not retrievable from AWS again – you lose it, generate a new pair
Identifier ACCESS KEY ID
Ex: AKIAIOSFODNN7EXAMPLE
Secret SECRET KEY
Ex: UtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
Authenticate

6. Multifactor Authentication (MFA)
Helps prevent anyone with unauthorized knowledge of your credentials from
impersonating you
Hardware or Virtual
Works with
• Root credentials
• IAM Users
• Application
Integrated into
• AWS API
• AWS Management Console
• Key pages on the AWS Portal
• S3 (Secure Delete)
Authenticate

7. Permissions are to specify
Who can access to AWS resources
What action can be performed on those AWS resources
How is it done?
• Organized in Policies (JSON)
Authorize

8. Are built in Policies
Attached to an IAM user, group, or role
Enable you specify what that user, group, or
role can do
User-based policies: managed or inline
Authorize

9. AWS Resources
• Defined uniquely by an Amazon Resource Name (ARN)
Ex: EC2 instance, DynamoDB table, IAM user, etc.
Not: OS installed on EC2, data inside an EBS volume, etc.
AWS IAM Concepts
arn:aws:service:region:account:resource
<!– Amazon EC2 instance -->
arn:aws:ec2:us-east-1:123456789012:instance/i-1a2b3c4d
<!-- Amazon RDS tag -->
arn:aws:rds:eu-west-1:001234567890:db:mysql-db
<!-- Amazon S3 all objects in a bucket -->
arn:aws:s3:::my_corporate_bucket/*

10. User-based Policy
Managed Policies
• AWS managed policies
• Customer managed policies
• Reusable
• Versioning
Inline Policies
• Embedded into a user, group or role
• Disposable / Temporary
Authorize
Versioning
Track changes
Enables rollback
Keep up to five versions

11. Evaluation Rules
By default, all requests are denied
An allow overrides any default denies
An explicit deny overrides any allows
The order in which the policies are evaluated
is not important
Authorize

12. {
"Statement":
{
"Effect": "Allow",
"Action": "ec2:TerminateInstances",
"Resource": "arn:aws:ec2:ap-southeast-1:444455556666:instance/*",
"Condition" : {
“Bool": {"aws:MultiFactorAuthPresent": "true"},
"NumericLessThan":{"aws:MultiFactorAuthAge":"300"},
"IpAddress" : {"aws:SourceIp" : ["10.0.2.0/28", “203.0.113.0/29"]}
}
}
Authorize
Overview of AWS IAM
OR
AND

13. AWS Policy Simulator
Test your policies
Find which policy is
responsible for the
permission
Authorize
Overview of AWS IAM

14. CloudTrail
Authorize
Overview of AWS IAM

15. IAM Best Practices
• Identity and Credential Management
• Access Permission Management
• Delegation and Audit

16. Identity & Credential Management

17. 1. Create Individual users
Benefits
• Unique set of credentials
• Individual permissions
• Granular control
• Easy to revoke access
Do
• Create IAM user for yourself
• Create individual users for other
Don’t
• Distribute your AWS root
credentials
• Use your root account user

18. 2. Configure a strong password policy
Benefits
• Ensures your users and data are
protected
• Easy way to enforce password
complexity requirements
• Increase account resilience against
brute force login attempts
Do
• Require password expiration of 90 days
• Require passwords with:
 minimum password length of 14
 at least one uppercase letter
 at least one lowercase letter
 at least one symbol
 at least one number

19. 3. Rotate security credentials regularly
Benefits
• Reduces the window of potential
unauthorized access
• Ensures that data cannot be
accessed with old keys which might
have been lost or stolen
Do
• Use Access Key Last Used to identify
and deactivate credentials that have
been unused in 90 or greater days
• Enable credential rotation for IAM
users
• Use Credential Report to audit
credential rotation.

20. Enabling credential rotation for IAM users
(Enable access key rotation sample policy)
Access keys Steps to rotate access keys
1. Create a new set of credentials.
2. Update all applications to use the new
credentials.
3. Deactivate the first set of credentials.
4. Confirm that your applications are
working well.
5. Delete the first set of credentials.
{
"Version":"2012-10-17",
“Statement": [{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"],
"Resource":
"arn:aws:iam::123456789012:
user/${aws:username}"
}]}

21. 4. Enable MFA for Privileged users
Benefits
• Provides an extra layer of protection
• Increase security for console and
programmatic access
Do
• Enable MFA for your root account
• Protect sensitive actions with MFA

22. Access Permission Management

23. 5. Manage permissions with groups
Benefits
• Reduces the complexity of access
management as number of users
grow
• Reduces the opportunity for a user
to accidently get excessive access
• Easy way to reassign permissions
based on change in responsibility
• Easy way to update permissions for
multiple users
Do
• Create groups that relate to job
functions
• Attach policies to groups
• Use managed policies to logically
manage permissions
• Manage group membership to assign
permissions

24. 6. Grant least privilege
Benefits
• Minimize chances of accidently
performing privileged actions
• Easier to relax than tighten up
• More granular control
Do
• Start with a minimum set of
permissions and grant additional
permissions as necessary
• Restrict privileged access further with
conditions
• Regularly check Access Advisor to
restrict access
• Control access to specific resources
using resource-based policy

25. Show and tell
1. Create a group and attach a
policy
2. Manage user’s permission
using group membership
3. Use Access Advisor to
identify overly permissive
policies

26. Delegation & Audit

27. 7. Use IAM roles to share access
Benefits
• No need to share security
credentials
• No need to store long-term
credentials
• Control who has access
Do
• Use roles to delegate cross-account
access
• Use roles to delegate access within an
account
• Use roles to provide access for
federated users

28. prod@example.com
Acct ID: 111122223333
ddb-role
{ "Statement": [
{ "Action":
[
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*“
}]}
dev@example.com
Acct ID: 123456789012
Authenticate with
Rob’s access keys
Get temporary
security credentials
for ddb-role
Call AWS APIs
using temporary
security credentials
of ddb-role
{ "Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource":
"arn:aws:iam::111122223333:role/ddb-role"
}]}
{ "Statement": [
{
"Effect":"Allow",
"Principal":{"AWS":"123456789012"},
"Action":"sts:AssumeRole"
}]}
ddb-role trusts IAM users from the AWS account
dev@example.com (123456789012)
Permissions assigned
to Rob granting him
permission to assume
ddb-role in account B
IAM user: Rob
Permissions assigned to ddb-role
STS
How does federated access work?

29. 8. Use IAM roles for Amazon EC2 instances
Benefits
• Easy to manage access keys on
EC2 instances
• Automatic key rotation
• AWS SDKs fully integrated
• AWS CLI fully integrated
Do
• Use roles instead of long term
credentials
• Assign least privilege to the
application

30. 9. Enable AWS CloudTrail to get logs of API calls
Benefits
• Enables API activity monitoring in
your account
• Enables security analysis, resource
tracking, and compliance auditing
Do
• Ensure AWS CloudTrail is enabled in
all regions
• Ensure AWS CloudTrail log file
validation is enabled
• Ensure the Amazon S3 bucket of
CloudTrail logs is not publicly
accessible

31. 10. Reduce or remove use of root
Benefits
• Reduces the risk of accidental
changes and unintended disclosure
of highly privileged credentials
Do
• Enable MFA for root account user
• If possible, remove root access keys
• Use a strong password for your
account
• Use individual users

32. Top 10 IAM best practices
1. Users – Create individual users
2. Password – Configure a strong password policy
3. Rotate – Rotate security credentials regularly
4. MFA – Enable MFA for privileged users
5. Groups – Manage permissions with groups
6. Permissions – Grant least privilege
7. Sharing – Use IAM roles to share access
8. Roles – Use IAM roles for Amazon EC2 instances
9. Auditing – Enable AWS CloudTrail to get logs of API calls
10. Root – Reduce or remove use of root

33. Common use cases
• Tag-based access control
• Accounts management

34. Control access using AWS resource tag
• Use tag-based access control when you need to:
• Treat resources as a unit, such as a project
• Automatically enforce permissions when new resources are created
NOTE: The following services currently support tag-based access control:
Amazon EC2, Amazon VPC, Amazon EBS, Amazon Glacier, Amazon RDS, Amazon
Simple Workflow Service, and AWS Data Pipeline

35. How does tag-based access control work?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Project" : "Blue"
}
}
}
]
}
Permissions assigned to Rob granting him permission to
perform any EC2 action on resources tagged with
Project=Blue
IAM user: Rob
i-a1234b12
Project=Blue
i-a4321b12
Project=Blue
i-a4321b12
Project=Green

36. Show and tell
1. Control an EC2 instance
tagged with Project=Blue

37. Accounts management

38. Accounts management
Use a single AWS account when you:
• Want simpler control of who does what in your AWS environment
• Have no need to isolate projects/products/teams
• Have no need for breaking up the cost
Use multiple AWS accounts when you:
• Need full isolation between projects/teams/environments
• Want to isolate recovery data and/or auditing data (e.g., writing your
CloudTrail logs to a different account)
• Need a single bill, but want to break out the cost and usage

39. What did we cover?
1. The 10 IAM best practices
2. Tag-based access control
3. Accounts management

40. Thank you

41. Remember to complete
your evaluations!