AWS IAM – Best Practices

AWS IAM – Best Practices


We recommend you to follow few best practices while using AWS Identity and Access Management ( IAM ). Adhere to IAM best practices to manage AWS users, groups, permissions, and credentials in order to make your AWS account as secure as possible. Following these best practices can help you maintain the security of your AWS resources.

1.Use IAM users instead of your root account

Do not use your AWS root account to access AWS. Instead, create individual IAM users to access your AWS account. This allows you to give each IAM user a unique set of security credentials and grant different permissions to each user.

2.Enable AWS CloudTrail to get logs of API calls

Enable logging of AWS API calls to gain greater visibility into user’s activity in your AWS resources. Logging lets you see which actions users have taken and which resources have been used, along with details such as time and date of actions and also the actions that have failed because of inadequate permissions.

3.Manage permissions with groups

Assign permissions to groups instead of to users to make it easier for you to assign and reassign permissions to multiple users at the same time. As people in your company change job roles, you can simply change which IAM group each IAM user belongs to.

4.Least privilege to be assigned

Apply fine-grained permissions to ensure that IAM users have least privilege to perform only the tasks they need to perform. Start with a minimum set of permissions and grant additional permissions as necessary. Using conditions also can prevent your AWS users from accidentally performing privileged actions.

5.Configure a strong password policy

Configure password expiration, strength, and reuse which will ensure that your users and your data are protected by strong credentials. For enhanced security, use a strong password policy together with multi-factor authentication (MFA)—see the ninth IAM best practice below.

6.Rotate security credentials regularly

Change your own passwords and access keys regularly, and make sure that all IAM users in your AWS account do as well. You can apply a password policy to your AWS account to require all your IAM users to rotate their passwords, and you can choose how often they must do so.

7.Enable multi-factor authentication (MFA) for privileged users

Supplement user names and passwords by requiring a one-time password during authentication. This allows you to enable extra security for privileged IAM users (users who are allowed access to sensitive resources).

—Samta Jain (Business Development), TechMinfy!!