AWS Identity and Access Management (IAM) assigns granular AWS permissions to individuals and applications. Misconfiguration from AWS IAM has resulted in many high profile data breaches. When configured correctly, AWS is very secure. Still, it’s very easy to make a mistake in your configuration that will expose essential data and put your business at high risk. It is estimated that around 73% of companies have AWS IAM misconfigurations. To read more about the importance of IAM in general, you can read this article.
Even if it’s easy to get onboarded on AWS and its various services like S3, EC2, IAM, RDS are easy to work with, a single IAM mistake can compromise your environment, data, and ultimately user privacy.
In this post, I will cover the Top 6 AWS IAM misconfigurations that can easily be avoided by your DevOps team.
- Usage of Root account access keys
- Tie root accounts to certificates
- Root account certificate rotation
- MFA for every root account
- Password rotation on root accounts
- MFA on user accounts
List of Top 6 AWS IAM Misconfigurations
Usage of Root account’s access keys
The very first misconfiguration is where we all make mistakes using the root account’s access key. The root account has full permissions across the entire account. Root accounts should not have access keys. Also, it certainly shouldn’t access any service. Instead, create IAM users with predefined roles.
So, try not to use Root’s account access keys in your setup, which is required for a better security posture.
Tie root accounts to certificates
The second most common misconfiguration is tieing root accounts to certificates. Certificates should not be tied with root accounts. Compliance with this policy is also required for PCI, HIPAA, APRA, MAS, NIST.
Root account certificate rotation
Not rotating certificates that are tied to the root account is another misconfiguration. Certificates tied with root accounts need rotation. It is also a requirement to enable CBP, HIPAA, APRA, MAS, and NIST compliance. It is crucial to rotate root accounts if they are tied with certificates.
MFA for every root account
Multi-factor Authentication is strongly recommended to be enabled for every account with no exceptions. In this CBP, NIST, AICPA, ISO 27001, compliances are required. Lack of MFA can expose your confidential client information to breaches.
Password rotation on root accounts
Another most common misconfiguration made is not changing your root account password. Ensure that your root account password is rotated every few days. This ensures the safety and keeps your data safe. CBP, NIST are the compliance standards required for this.
Password rotation should be done every 30 days to be safe from any security breaches.
MFA on user accounts
MFA must be enabled on user accounts. AWS recommends that you configure multi-factor authentication (MFA) to help protect your AWS resources.
Users with console login should be asked to log in and enabled Multi-factor authentication for their accounts.
AWS IAM is one of the most complex services in any cloud environment. These are the few AWS IAM misconfigurations, and most of them are not very difficult to fix. The consequences of misconfiguration can be avoided by properly understanding IAM security. Try these steps to keep your data secure.
How can Cloudanix help with AWS IAM Misconfigurations?
Cloudanix provides you with the AWS IAM recipe that does regular audits and notifies you if you have any of the above AWS IAM misconfigurations. To explore our AWS IAM audit recipe, you can start by signing up for a free trial here.
Sign up for our newsletter
We love newsletters! And for our audience, we have put one together. We curate high-quality content and like to share it with you. Sign up below!