Identity and Access Management (IAM) Best Practices for Cloud Security
Identity and Access Management (IAM) is crucial to every cloud security strategy, but it often flies under the radar. IAM ensures that only the right, authorized people and job roles in your organization (identities) have access to your cloud resources. Ultimately, it helps manage a range of identities, including users, software, and hardware.
To give it a bit of perspective, IAM brings two core advantages; security and productivity.
Traditional security revolves around users and their passwords which can quickly get exposed, making organizations vulnerable to attacks. IAM services narrow down attack vectors, complicate the potential hacking process, and backstops to catch mistakes earlier.
Once employees log in to the main IAM portal, they no longer need to worry about typing in the correct passwords or having the right access level to complete their tasks. Their access and permissions can easily be managed as a group or role instead of going through each individually.
Don’t ever say, “we’ll cross that bridge once we get to it.” There’s no shortcut for security, so today is the day you’ll learn IAM best practices.
For a quick, all-cards-on-the-table summary, the top 10 IAM best practices include:
- Adopt the principle of least privilege
- Enforce multifactor authentication (MFA)
- Periodically rotate access keys
- Use temporary security credentials
- Regularly audit logs
- Grant permissions by roles
- Deprovision unused IAM accounts
- Leverage Separation of Duties
- Properly manage administrator credentials
- Safeguard root user account
Let’s dive deeper.
“What we should actually be doing is thinking about what are our key controls that will mitigate the risks. How do we have those funneled and controlled through the team that we have, how do we work through that in a well-formatted, formulated process, and pay attention to those controls we have chosen? Not a continual, add more, add more, add more.” — Dr. Chris Pierson, CEO, Binary Sun Cyber Risk Advisors, at SecureWorld Charlotte.
Top 13 Security Best Practices in IAM
1. Adopt the principle of least privilege
One of the basic IAM best practices you should adopt is being extra stingy when handing out privileges. There’s even a principle for that. The Principle of Least Privilege restricts granted user privileges to only what’s necessary to complete a given task. It states that a user or program should operate with the least privileges possible. The primary goal is to limit potential damages from an accident or error.
- If a user doesn’t need access to complete the task, they shouldn’t have the privilege.
This principle helps DevOps and security teams substantially reduce the blast radius of a vulnerability or attack by cutting down on the permissions linked to an account.
So, the IAM cloud best practice is to grant only the exact amount of privileges required to perform a task. To take it a bit further with a better approach, continuously maintain the least privilege and get alerted when a change occurs.
2. Enforce multifactor authentication (MFA)
Multifactor authentication adds an extra layer of protection against cyber threats by complicating the hacking process. Therefore, it’s the cornerstone of security at a fundamental level.
With MFA enabled, even if a malicious actor steals an account’s credentials, they won’t be able to verify a valid identity without a physical or virtual MFA token. As a general rule of thumb and cloud IAM security, activate MFA for all your cloud accounts.
AWS IAM best practice: When you configure MFA for the root user, it applies to only root user credentials. Since IAM users in your account are distinct identities with different credentials, each has its own MFA configuration.
Also, see the GCP uniform MFA enforcement doc.
3. Periodically rotate access keys
Users in a cloud account should regularly rotate access tokens as an IAM security best practice. Rotating Identity Access Management (IAM) credentials significantly minimize the risk of compromising credentials. Rotation shortens the activeness period of an access key, making it expire within the designated schedule.
The process involves:
- Creating new access tokens.
- Changing the old tokens used by your applications.
- Deleting the old tokens.
Like changing credentials, periodically changing API tokens also limits the damage an exposed API token can cause.
How often should you rotate access keys?
You should rotate your access keys every 90 days or less, like 45 days. A cyber asset security solution can automate the process for you and continuously check the rotation status of your tokens.
4. Use temporary security credentials
Another Identity Access Management best practice is using temporary security credentials instead of long-term access to your cloud environment. You should use temporary credentials whenever and wherever possible.
This can be achieved with IAM roles, which grant access to your cloud account through short-term credentials. Authorized identities can this way assume roles to make a request. Suggested reading: What is Assume Role in AWS?
5. Regularly audit logs
As an IAM cloud best practice, you should regularly audit your logs to identify anomalies in time and prevent potential attacks or exposure. Typically, cloud providers provide specific ways to audit logs. Google Cloud users, for example, can Cloud Audit Logs to regularly audit changes. AWS users, on the other hand, can monitor the account activity of specific IAM users, roles, and AWS access keys by using either of the following solutions:
- AWS CloudTrail event history
- Amazon Athena queries
- Amazon CloudWatch Logs Insights
An alternative method is using a comprehensive cloud security solution like Resmo, which allows querying resources (including logs) and automatically evaluates multi-cloud assets for security best practices.
You might also find CloudTrail Best Practices helpful.
6. Grant permissions by roles
We briefly mentioned assuming roles under Using Temporary Credentials, but it’s worth underlining. As opposed to using an administrator identity to perform regular tasks, designate new roles for different tasks that can be assumed when needed.
Assuming roles require tokens or sessions which are temporary and can be revoked. Therefore it’s less risky than giving out long-term credentials to just anyone. You know, caution is parent to safety.
7. Deprovision unused IAM accounts
Ultimately, it’s best to de-provision all identities when you no longer need them. Some identities, for example, might never be used or belong to a former employee. These dormant IAM accounts lead to attack surface expansion and serious vulnerabilities like ticking bombs ready to explode if spotted by a threat actor.
8. Leverage Separation of Duties (SoD)
Another identity access management best practice to avoid security or privacy incidents is to separate duties. Let’s dig into what that means. The separation of Duties (SoD) concept ensures that no user has enough permissions to misuse. It could be an action such as accessing and decrypting data that should not normally be available to that user.
Ultimately, segregation of duties requires breaking down tasks into multiple tasks or having more than one person complete the tasks. It can be enforced in the following ways:
- Statically: i.e., by defining conflicting roles or roles that can’t be performed by the same person
- Dynamically: i.e., by enforcing the control at access time
It might be challenging to achieve with limited staff. Still, it surely has benefits like prevention of abuse, fraud, or error as well as detection of control failures such as security breaches.
9. Properly manage administrator credentials
As one of the access control best practices, ensure that administrator credentials strictly belong to the administrators and no one else. Give each admin their own admin account to log in to the Admin console instead of using the same account. Otherwise, you wouldn’t be able to tell who is responsible for a certain activity even though you see the activity in the audit log.
10. Safeguard root user account
The root user account has access to and control over everything in a cloud environment, even your billing information. Unlike Identity and Access Management users and groups, it’s not possible to reduce an AWS root user’s permissions or restrict access. Therefore, it’s imperative that you protect AWS root user keys at all costs. If a malicious user has access to your root user credentials, such as a disgruntled employee or contractor, they can cause irreversible damage.
- Do not create access keys for the root user unless it’s definitely required.
- Instead, use the account email and password to open the Management Console, create an IAM user for yourself, then grant it admin privileges.
- If you still choose to keep the root user access key, you should rotate it every 90 days or less.
- Ensure the root user account complies with cloud security best practices like activating MFA.
11. Secure user access keys
Access keys are long-term credentials for IAM users or AWS account root users. These keys provide programmatic sign-in requests to a cloud environment. As an IAM best practice, it’s recommended that you use temporary credentials, a.k.a. IAM roles, instead of long-term ones like access keys.
- Do not generate access keys for the root user account.
- There might be access keys that were created and forgotten about. If you use access keys, make sure to put automation in place to detect and delete unused and inactive keys.
- Regularly rotate the access keys.
- Do not provide access keys to any third parties.
12. Adopt a zero-trust policy
Zero Trust relies on these core principles “never trust, always verify.” Adopting a Zero-Trust security strategy goes hand in hand with IAM best practices because Zero Trust architecture’s foundational rule applies least-privilege access.
13. Continuously audit cloud IAM security
Last but not least, Identity and Access Management best practice is acknowledging that security at all levels requires continuity. You should be able to tell if your cloud environment follows these IAM best practices whenever anything goes sideways. This can be done with a third-party cyber asset attack surface management tool like Resmo.
Resmo seamlessly integrates with AWS, GCP, and Azure and collects all your cloud resources, including IAM resources like IAM groups, IAM roles, and IAM policies, in a single asset directory, making them visible for security.
Automate checking if your IAM or other cloud resources comply with the security best practices, query, and visualize them.
Examples of IAM security rules on Resmo:
- AWS IAM User access keys must be rotated in 45 days
- MFA should be enabled for all AWS IAM users
- Unused AWS IAM user credentials in 45 or greater days should be removed
- Ensure a log metric filter and alarm exist for IAM policy changes
- AWS IAM Access Keys that are unused in 45 days must be disabled
You can sign up for Resmo for free and give it a quick test run to see how well-protected your cloud resources are!
Cloud IAM security FAQ
1. What are the best practices for IAM?
IAM best practices include:
- Adopting the Principle of Least Privilege.
- Separation of Duties.
- Enforcing MFA.
- Protecting your root user account.
- Securing access keys.
- Using temporary credentials.
2. What is the best practice for IAM authorization?
Use temporary security credentials, such as granting access through IAM roles, instead of giving long-term credentials, which can easily be used as an attack vector.
3. What are the 4 components of IAM?
The 4 main components of IAM are:
- Access Management
- Privileged Account Management
- Identity Administration
- Access Governance