SBN

AWS User Management

Introduction

In order to keep your AWS environment secure while allowing your users to properly utilize resources, you must ensure that users are correctly created with proper permissions. Also, you must monitor your environment to ensure that unauthorized access does not occur and accounts are up to date.

User Account Creation and Management

AWS IAM allows you to create separate users, groups and roles to access your AWS resources (See AWS Identity and Access Management for more information). These user accounts may be created through the GUI console or through the AWS Command Line Interface or API calls.

You should constantly monitor user access to your AWS account. Using CloudTrail (see below) and other logging methods you will be able to determine which users are active within your environment, what services they are using and what permissions they may need when there are failed requests.

It is important to remove any IAM users and access keys which are not in use. Accounts and access keys may be disabled if the user is temporarily not active but may return. Passwords and access keys should be changed frequently to limit the chance of a compromise.

Password Policy

In order to keep your AWS user accounts secure, you must have a strong password policy. AWS allows you to control the complexity of passwords used by your users. Through the AWS Console, CLI or APIs, you are able to control:

  • Minimum Password Length
  • Required character types (uppercase, lowercase, numbers, etc)
  • If users can change their own password
  • If user passwords expire
  • If passwords can be reused
  • If an IAM user must contact an administrator if their password has expired

Please note that if you require your users to contact and administrator when their password expires you should have at least two users with administrator (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Robert Johnson. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/Z7YpVbXZQJg/