Home 4 Best Practices to implement IAM in AWS

4 Best Practices to implement IAM in AWS


Identity and Access Management (IAM) systems provide the capability to create and manage user accounts, roles, and access rights for individual users in an organization. They typically incorporate user provisioning, password management, policy management, access governance, and identity repositories in an often-complex design. Because providing IAM is a colossal task, you’re likely to face many challenges. You may be asked to confirm the accounts in your IAM system and the access rights for each, which can be a daunting and challenging task. Unfortunately, the environments that IAM systems support are often subject to both persistent attacks and inadvertent permission creep due to changing roles and rights within your organization.

Enable MFA as a first line of defense for cloud security

Configuring AWS IAM MFA provides extra layers of security to your AWS account above your traditional system of authentication using username and password. When MFA is enabled, the user gets prompted for an extra authentication response from their registered MFA device along with the username and password. All these factors combined provide increased security to the user’s account and prevent misuse of AWS account or resources. It is highly recommended that MFA should be enabled on all AWS accounts in use.

Ensure your IAM Policies are not vulnerable to alteration

As a root user, you always want to have full governance over your AWS infrastructure. If any change occurs into your configuration, you should be the first to get notified. Without considering what type of change is expected, unexpected, intentional, or unintentional doesn’t matter. Thanks to AWS for CloudTrail, CloudWatch, and SNS (Simple Notification Service). AWS allows users to have a metric filter and alarm for Identity and Access Management policy (IAM) changes. So that you won’t miss any update about the changes in the configuration of IAM Policy.

AWS IAM managed policy is recommended over inline policy

Managed Policies are created and managed by AWS while Customer Managed Policies, as the name suggests, are standalone policies that are managed by users in their respective AWS account.

Inline policy is an IAM policy that is actually embedded within the identity. Don’t forget that there is a strict one-on-one relationship between the entity and the policy.

Which one is better and why?

It is recommended to use managed policies instead of inline policy. This is because managed policies allow reusability. Managed policies can be implemented as versions.

Rotate your AWS IAM user access keys regularly

Anyone who has the access key has unrestricted access to all the resources in the root user’s account, including billing information. You cannot restrict the permissions for your AWS account root user and similarly, you cannot restrict the permissions for any user who has the access key.

It is recommended not to use root user account or not have the access key for the root user account. In case there is a compulsion to use root account and to have an access key then it is recommended to rotate access keys time to time to ensure proper security of your AWS resources.

Read About