Identity and Access Management is a global service that enables secure access for AWS resources. Since this is a key service of AWS, they have provided a set of best practices to follow when using IAM. According to AWS documentation IAM best practices can be listed down as follows.
- Freeze your AWS Account root user access keys
It is recommended not to use the AWS account root user access key. The root account access key gives full access for all the services as well as the billing information and access cannot be limited too. Hence, the root keys should be handled carefully.
- Try as much as possible to not create a root access key and instead use an email address and password in order to log into the account and create an IAM user with administrative permissions.
- If there is a strong need to create a root access key, rotate the access key in a regular manner.
- Do not share access keys with others
- Use a strong password for the root account
- Enable AWS multi-factor authentication for the AWS root account
2. Use groups to assign permissions to IAM users
Instead of giving permissions for each user individually, it is recommended to create groups with a similar set of users and give permissions to the whole team at once.
3. Grant least privilege
When granting permissions for users it is recommended to start with least privileges which means granting only the permissions that are required to perform a specific task.
4. Use roles for applications that run on Amazon EC2 instances
Applications that run on EC2 instances need permissions to access AWS resources. It is recommended to use IAM roles in order to provide permissions for EC2 instances in a secure manner. IAM role is a form of granting permissions in a secure manner and it provides permissions temporary.