Reading Time: 6 minutes

iam best practices

Identity and Access Management is a well-known term in the cybersecurity industry dating back to the times of the data center and more traditional forms of security. Today, IAM has become the forefront of security in the cloud, as organizations big and small migrate to this new frontier. What is considered an ‘identity’ looks very different in the cloud than it did in the data center. The person identity (i.e. a user) has taken a back seat to non-person identities. These non-person identities are critical entities in day-to-day operations in the cloud, where identity is defined as the new security perimeter. They include pieces of compute, serverless functions, roles, service principles, access keys and more. With this change also comes a change in the way we address risk.

IAM governance should be a priority for DevOps and security teams in the public cloud. Identities have become popular targets in cyberattacks on the cloud. A well-established IAM governance program will significantly reduce the risks of data breaches in our cloud.

Cloud providers like AWS, Azure and GCP do their best to arm their customers with advice on how to bolster their identity management. There are unique AWS IAM best practices, Azure IAM best practices, and GCP IAM best practices, but there are some consistencies in recommendations across the different clouds.

12 IAM Best Practices

Below, we’ll outline the top cloud IAM best practices and the methodology behind them. Regardless of the complexity of your operations, the aim of our best practice recommendations is to make whatever you are doing work out better, faster, and more efficiently with fewer problems and mistakes. Here are just a few best practices to be aware of when working in the cloud.

Centralize IAM

By providing centralized management of all identities and their effective permissions, your organization gains the visibility needed for proper oversight. Centralized IAM makes it easier to enforce policies governing identity and access. This is because an effective centralized approach ensures that privileges are issued in accordance with the policies and controls within your organization’s governance framework. As a result, you can align privileges with your business requirements. This can be extremely difficult when your cloud has several accounts, groups or even multiple cloud platforms. The best way to ensure you’re getting the full picture is leveraging a cloud security platform.

Enforce Least Privilege

The Principle of Least Privilege ensures that users receive the minimum permissions required to fulfill their roles. Through least privilege, DevOps and security teams can significantly reduce the blast radius in the event of a data breach by restricting threats to the specific permissions linked to an account. 

Ultimately, best practice is to only give identities the exact amount of privileges they need to get their job done. It doesn’t end there, a better practice is to maintain the least privilege by continuously monitoring your identities against the baseline of least privilege and alerting when a deviation occurs.

De-provision IAM Accounts

Ideally, all identities should be de-provisioned when they are no longer needed. These may be identities that were never used, or perhaps an employee who has left the business. These dormant accounts pose serious risk as they only add to your attack surface, or exploitable entities in your environment. A better practice is to automate the detection of and subsequent deprovisioning of dormant accounts. A CIEM tool is able to detect such identities and provide intelligent workflows and automation to delete them.

Separation of Duties

Separation of duties (SoD) involves the sharing of a set of responsibilities and privileges among multiple users with the intention of preventing fraud and error. Separation of Duties has two areas. The first is the prevention of conflict of interest (real or apparent), wrongful acts, fraud, abuse, and errors. The second is the detection of control failures that include security breaches, information theft, and circumvention of security controls. It is designed to ensure that identities (people and non-people) don’t have conflicting responsibilities or are in a position of opening the organization to risk. Separation of Duties can be difficult to achieve with limited staff members, but controls should be put into place to be in accordance with SoD.

Due Diligence of Administrator Credentials

Administrator credentials should strictly belong to administrator identities. A well known practice is for organizations to restrict administrator accounts to necessary functions and discourage daily usage, but we can take that much further with the power of the cloud. Organizations should consistently inventory all of their identities and associated entitlements. From there they should certify those that are truly known admin accounts and remediate the ones that aren’t. This forms an identity baseline which they continuously monitor against for deviations in both entitlements and usage. It is vital for organizations to protect the powerful set of permissions linked to administrator credentials and cloud users should consider additional security tools to help this process.

Categorize Identity Management 

Systematic identity management will help organizations optimize identity and access controls. DevOps can achieve this by sorting identities into groups and roles according to their functions and permissions and then creating policies that are applied to the grouping. Through this method of categorization, they can effectively manage similar identities without tediously sorting through every single one, which likely leads to misconfigurations. These IAM misconfigurations often introduce hidden risks in your cloud. 

It is best to have complete visibility into all of your identities and their effective permissions. Without this visibility, any identity may receive more access than needed leaving your organization open to unnecessary risks. This sort of visibility comes only from a third-party cloud security platform.

Delegate Permissions by Roles

As opposed to using an admin identity to complete everyday tasks, create new roles for different tasks that are assumed when needed. Assuming a role requires using a token or creating a session, which are only temporary, and therefore less risky than long-term credentials.

Protect User Access Keys

Access keys provide programmatic access to a cloud environment. It is best practice to not share these access key credentials between identities in your account or embed them in code for anyone to find. This access key approach does come with a downside, it provides long-term access for as long as the key exists. Often times, we see keys that are created and then forgotten about. If you need to use access keys, a best practice is to put automation in place to delete old and/or inactive keys. If you are looking for an even better practice, create a non-person identity, like an AWS Role, with short-lived access.

Protect Root User Account

The root account has control over everything in your environment, and therefore should be under strict protection. It is not possible to reduce the permissions that AWS root user keys provide, so it is paramount that these keys are protected just as you would any other sensitive information. For starters, do not create access keys for the root users if you haven’t already unless you absolutely need to. Instead, you can use the account email and password to enter the Management Console and create an IAM user for yourself, granting it administrative privileges. Moreover, if you have an access key for any root user, it’s best to delete it. If you choose to keep the key, you should change it on a regular basis–a 90-day rotation period is recommended. The root user account should also follow the best practices of password creation and management, including activated MFA.

MFA Activation 

MFA (multi factor authentication) provides critical accounts with added security that mitigates cyberthreats by complicating the hacking process. As the name suggests, MFA requires more than just remembering some passwords – it involves having both physical devices and personal knowledge for an individual’s identity to be confirmed. Fundamental access controls can prevent intrusions by most bad actors. These controls verify the valid identity, then monitor the identity’s usage to ensure they remain within the mandated security parameters and permissions. As a general security best practice, activate MFA for all of your accounts.

Use Temporary Credentials

Access keys provide long-lived access to your environment programmatically as opposed to logging in via the Console using a good old user/password combo. As a general best practice, temporary credentials should be used whenever and wherever possible, not long-lived access. This can be achieved by using IAM roles.

Rotate Access Tokens  

Users should regularly rotate access tokens to minimize the risk of compromised credentials. The process involves creating new tokens, switching applications that use the new token, and deleting the old token. Like passwords, regularly changing an API token will limit the damage a leaked or misplaced API token can cause.

Meet IAM Best Practices with Sonrai

Sonrai Dig has been developed to help organizations improve security, ensure compliance and increase operational efficiencies for their AWS, Azure, GCP, and other cloud platforms. Core to the platform is the ability to gain a centralized and consistent view into cloud identity and data relationships, activity, and data movement across cloud accounts, cloud providers, and third-party data stores. 

If you want a look at how Sonrai handles Identity and Access Management in the cloud, explore our CIEM use case.