IAM Security Best Practices

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
19 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
20
Video Transcription
00:00
>> We're almost at the end of this module.
00:00
Before we wrap it up, I want to go through
00:00
a quick best practices overview so
00:00
that you have a chance to
00:00
review all the high-level things that we've talked about.
00:00
Make sure you got all the key takeaways before
00:00
jumping into your work or your exam,
00:00
whatever it is that you're preparing for.
00:00
Learning objectives for this lesson
00:00
are going to be to describe
00:00
best practices and make sure we review
00:00
that before ending this module.
00:00
Now, here are the best practices to remember.
00:00
Number 1, do not
00:00
use your root account. We did talk about this.
00:00
There are situations where it's
00:00
probably okay if it's like
00:00
your personal account or
00:00
maybe you're just doing it
00:00
for testing or something like that.
00:00
That's probably okay.
00:00
But it's honestly never advised.
00:00
[LAUGHTER] I would never do it.
00:00
For my personal accounts, I always use
00:00
my own user account within my account.
00:00
I don't use the root account,
00:00
so it literally takes you a few
00:00
extra minutes to just create that additional account.
00:00
You can always save your root account credentials
00:00
in a password manager app or something like that.
00:00
Just don't use it.
00:00
Don't use your root account.
00:00
Rule number 2, one IAM account per user.
00:00
Do not share your credentials.
00:00
If you're doing that, just stop right now.
00:00
Just don't do that.
00:00
That goes for not only IAM,
00:00
but everything aside from
00:00
maybe your Netflix password or something like that.
00:00
[LAUGHTER] But when it comes to work,
00:00
it's never a good idea to share your credentials
00:00
with anyone because honestly,
00:00
if something were to go wrong and
00:00
somebody else was using your account,
00:00
it could look bad on you.
00:00
It could reflect your work
00:00
and you weren't even the one that did it.
00:00
It's just better to keep things
00:00
clean and simple and separated out.
00:00
It doesn't cost anything to have another user account.
00:00
It just takes a little bit of
00:00
extra time to create a user account for every user.
00:00
Just go ahead and do that. Rule number 3.
00:00
Assign users to groups and
00:00
assign permissions to the groups.
00:00
This makes it easy to scale as
00:00
the users pile in to your AWS account.
00:00
You can always assign it to individual users.
00:00
If you know that your AWS account
00:00
is not going to be used by a lot of people,
00:00
if it's just for a really small team,
00:00
maybe for short-term use or something
00:00
like that, that's fine.
00:00
But if you have
00:00
any inclination that this
00:00
could be used at a greater scale,
00:00
go ahead and start architecting
00:00
your access and identity management
00:00
now for success in the future later.
00:00
You can do that by creating those users and assigning
00:00
the users to groups and assigning
00:00
the permissions to the groups themselves.
00:00
Rule number 4, maintain
00:00
a strong password policy
00:00
and MFA, multi-factor authentication.
00:00
You can also audit these things using IAM tools.
00:00
Make sure you do that because
00:00
if you're noticing that there are weak passwords,
00:00
that's a really easy entry for someone to brute
00:00
force into one area of
00:00
your AWS account and
00:00
leverage the permissions for
00:00
that particular user account.
00:00
If there's no MFA, well,
00:00
that's just even easier to be honest.
00:00
MFA is a really good security control
00:00
to mitigate access leakage,
00:00
or just hackers going into your environments in general,
00:00
because they don't have
00:00
that separate one-time passcode
00:00
that is typically on
00:00
a mobile phone or something like that.
00:00
Just get that policy rolled out.
00:00
Make sure that everyone is following that
00:00
and you'll be much better off.
00:00
For the next rule, if you need to grant extra access or
00:00
elevated access to a particular user, use a role.
00:00
Don't just assign it to the user
00:00
itself because there's a good chance you're
00:00
going to forget that you did that.
00:00
We all get busy.
00:00
We get flyby requests all the time as
00:00
Cloud engineers and security engineers.
00:00
If you have somebody that
00:00
needs to have elevated permissions,
00:00
just assign them a role,
00:00
make sure it's temporary,
00:00
and they'll be much better off that way.
00:00
For the last rule, audit,
00:00
the IAM user permissions on a regular basis.
00:00
Now, what does that mean?
00:00
Regular basis? That depends on your organization.
00:00
That depends on your capabilities as a team.
00:00
If you work in a regulated environment,
00:00
they do set rules for you where
00:00
you have to do so many months.
00:00
I think it's like 90 days for FED ramp,
00:00
but it all depends.
00:00
It ultimately depends on what you're capable of doing.
00:00
The main point is make sure
00:00
that you're coming through and you
00:00
are taking out any of
00:00
those excess of permission user accounts,
00:00
user accounts that are no longer being
00:00
used, things like that.
00:00
Just making sure that you go through and clean it all up.
00:00
To summarize, we discuss some of the best practices
00:00
that you can use when working in IAM.
00:00
That wraps up this lesson.
00:00
I'll see you guys in our conclusion.
Up Next
Module 3 Conclusion
5m
How to Create an EC2 Instance
1h 3m