AWS Accounts are opened with a Root Account. By Default, this Root Account has full access to all aspects of an AWS Environment. As such, this account should never be used for routine, daily access. This account should be secured by MFA and only known to a few individuals within your organization. Instead, identities (human and machine) should be created to securely access your AWS workloads.
For all human identities, the Best Practice is to rely on a centralized identity provider (Identity Federation) for all human users who access AWS using the SAML 2.0 protocol or Open ID Connect.
All users who require access to Resources within your Amazon account for your organization should be provided with an account. This aids in monitoring and auditing of resources and allows granular control of access to resource, when combined with groups and policies. All users should be set up to use MFA and their devices allowed to be registered. Strong passwords should be required, and periodic audits and rotation of credentials should be mandatory.
Groups should be created for access to internal resources. All users should belong to one or more groups, to provide them with access to resources. Group memberships should be periodically reviewed and membership revoked for those who no longer require access, due to changes in role or exit from your organization.
Policies should be created that allow (or deny) access to resources within your AWS Account. These policies should then be assigned appropriately to the Groups containing the users requiring access to resources. Privileges should be granted using the Principle of Least Privilege--meaning that only the permissions required for an individual to do their job should be applied.
This barely scratches the surface of what is needed to secure user access to AWS Resources. The Security Pillar of the AWS Well-Architected Framework contains the Best Practices for securing AWS Workloads.
Top comments (0)