Security in AWS IAM

2021-03-14

When to think about Security in AWS?

One of the first things you should do when building for AWS is start thinking about Security. You have to be on your toes right from the beginning. In the arena of Cloud, security cannot be an after thought. Consequences of failing to consider security from ground up is huge.

Starting with AWS Account

Do not jump to AWS site and start creating an AWS Account yourself. Find out who is the right authority to own AWS Account.

When setting up an AWS Account

There are many things to consider and undertake when setting up an AWS Account. Here is a list of things you should ask or guide Partner/IT Admin to do when setting up a new AWS Account.

AWS IAM Setup

Once an AWS Account has been setup and an 'admin' user is in place, the Lead Developer can start to setup the environment in AWS. First thing that Lead Developer needs to do is login using the 'admin' user, change password and start creating AWS IAM Groups and separate IAM User for each team member requiring access to AWS.

IAM Groups

Start with AWS IAM Groups. Group is used to manage access to a group of users. You would assign a set of access policies to a Group and then assign some users to the Group. All the users in a Group will have the same access as defined by the policies assigned to the Group. This makes administration of users and their access easy.

IAM Policies

AWS IAM Policy is a json document. It is an entity that provides permissions to a resource. It can be used to allow or deny access to a resource. Avoid making use of policies with broad and sweeping access but operate from least privilege principle.

Broad policy - Do NOT use

{
    "Version": "2021-01-01", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": "*", 
            "Resource": "*",
        }
    ]
}

Grannular policy - Recommmended

{
    "Version": "2021-01-01", 
    "Statement": [
        {
            "Effect": "Allow", 
            "Action": ["s3:GetObject", "s3:ListBucket", "s3:GetBucketLocation"], 
            "Resource": "arn:aws:s3:::projectX",
        }
    ]
}

IAM Roles

IAM Role is also an IAM Identity that has specific permission. It is like an IAM User but differs in that IAM Roles are meant to be assumable by whosoever needing them. So for example an EC2 instance can assume and take on a IAM Role to perform some task, similarly even a user can take on an IAM Role to perform some task. See below illustration.

VPC

Recommendations