The cloud appeals to many organisations because it makes it quick and easy to start new services, scale them up or down according to demand and turn them off when they’re no longer needed. But that ease of use means a business can quickly find itself with hundreds or thousands of user identities to manage and keep secure.
That’s why identity management is so important. If you’ve migrated to Amazon Web Services (AWS), or are planning a migration soon, you should understand the AWS best practices for identity management. And that starts with understanding the AWS Shared Responsibility Model. In this, AWS is responsible for security of the cloud – all of the cloud hardware, software and other infrastructure you use – while you are responsible for security in the cloud.
How do you do this? It means using identity management to provide fine-grained access control over who can – and can’t – use your cloud resources, including when to allow access and how much access to permit. You can do this through user provisioning: by specifying different users, roles and groups, and by establishing appropriate access policies for all of them.
Every new AWS account starts with a root user – this is the first and most powerful identity that’s established when the account is created. Although this is a vital and fundamental identity, you should use your root credentials for only a few critical tasks, such as changing your contact information, viewing certain kinds of tax invoices or closing your AWS account. That’s because your root credentials can’t be restricted: they’re essentially the keys to your cloud kingdom. Lose control of these and your entire presence in the cloud is at risk. Carefully guard these credentials, so confidential information can be only accessed by the right people.
For daily tasks in the cloud, you’ll want to designate different users, roles and groups using AWS Identity and Access Management (IAM).
When you create an IAM user, you specify a policy that gives certain permissions to a certain individual or service (for example, IAM users can be used by automations). This approach establishes long-term credentials for that user: unless you later change those permissions, that person or service will continue to have access to the resources you’ve designated. But this comes with a downside: if you have hundreds or thousands of IAM users, you have hundreds or thousands of individuals and services to keep track of and manage user access for as their needs change or they leave the organisation.
One solution to this? Use IAM groups instead. This lets you specify permissions for many users at once. And if someone’s need for access changes or they leave the organisation, you don’t need to change their individual permissions – simply remove that person from the group.
Another approach is to create IAM roles, which have certain permissions but are specific not to an individual or service but to the tasks and access required. Using this approach, privileged access for any particular individual or service is limited to a short term – they can use the resources in question only with temporary credentials that allow them to assume that role.
Finally, you can authenticate users and manage access using identity federation. Like single sign-on, this approach aims to simplify identity management. Instead of multiple IAM systems for all business processes, you have a single IAM system that lets users access many different resources like business applications without having to verify and authenticate their identity each time. Federated identity relies on a trusted identity provider that establishes credentials once for each user, and then authenticates that user for third parties.
Whichever approach you use for identity management, remember to follow best practices by using multi-factor authentication and regularly rotated passwords for added security.
It should be clear by now that strong identity management practices are not only vital in the cloud but require constant attention. If you’d prefer to focus on your core business and let someone else manage the details of IAM on AWS, a managed service provider or partner can support you.
Here at SoftwareOne, we provide that support using two different models: the service provider account model (SPAM) and the end customer account model (ECAM). With the SPAM model, we hold the root credentials for your master account as well as for all linked accounts. In the ECAM approach, we own your root credentials, but you can directly control your linked accounts and their root credentials.
In either case, of course, your organisation maintains ownership of all your workloads. We control the root credentials because we’re in charge of the AWS billing relationship for your account, which also allows us to obtain certain discounts for you on AWS services. By doing this, we also provide strong security. We follow the four-eyes principle, which means that no one individual at SoftwareOne has access to both your root user password and your multi-factor authentication. And any changes made to your root credentials are logged and audited.
These strategies protect you from common security issues, such as a malicious employee who might try to lock you out of account access or who tries to use your cloud resources for crypto mining.
As the move to the cloud has accelerated in recent years, with organisations adding ever more accounts on hyperscalers like AWS, good identity management practices are more important than ever. For example, one customer we recently began working with had nearly 300 AWS accounts – that’s a potentially daunting number of users, roles and groups to manage and keep secure and up to date.
As a Premier AWS Partner with expertise in everything from DevOps and security to migration and FinOps, we’re committed to continually evolving our services to meet our customers’ needs. In fact, we’re working to develop new services that will automate some aspects of IAM to make it even easier and more efficient to manage permissions and identities in the cloud.
Want to learn more about IAM or review your current practices around managing identities and access on AWS?
SoftwareOne’s AWS experts can help ensure you’re following best practices.
SoftwareOne’s AWS experts can help ensure you’re following best practices.
