Best practices and tools for AWS IAM
Every new AWS account starts with a root user – this is the first and most powerful identity that’s established when the account is created. Although this is a vital and fundamental identity, you should use your root credentials for only a few critical tasks, such as changing your contact information, viewing certain kinds of tax invoices or closing your AWS account. That’s because your root credentials can’t be restricted: they’re essentially the keys to your cloud kingdom. Lose control of these and your entire presence in the cloud is at risk. So carefully guard these credentials.
For daily tasks in the cloud, you’ll want to designate different users, roles and groups using AWS Identity and Access Management (IAM).
When you create an IAM user, you specify a policy that gives certain permissions to a certain individual or service (for example, IAM users can be used by automations). This approach establishes long-term credentials for that user: unless you later change those permissions, that person or service will continue to have access to the resources you’ve designated. But this comes with a downside: if you have hundreds or thousands of IAM users, you have hundreds or thousands of individuals and services to keep track of and manage access for as their needs change or they leave the organisation.
One solution to this? Use IAM groups instead. This lets you specify permissions for many users at once. And if someone’s need for access changes or they leave the organisation, you don’t need to change their individual permissions – simply remove that person from the group.
Another approach is to create IAM roles, which have certain permissions but are specific not to an individual or service but to the tasks and access required. Using this approach, access for any particular individual or service is limited to a short term – they can use the resources in question only with temporary credentials that allow them to assume that role.
Finally, you can authenticate users and manage access using identity federation. Like single sign-on, this approach aims to simplify identity management through a single system that lets users access many different resources without having to verify and authenticate their identity each time. Federated identity relies on a trusted identity provider that establishes credentials once for each user, and then authenticates that user for third parties.
Whichever approach you use for identity management, remember to follow best practices by using multi-factor authentication and regularly rotated passwords for added security.