Best IAM Practices for User & Permission Management
Question
While using IAM within AWS, they recommend a list of best practices to be used while managing Users & their permissions.
Which of the IAM practices are best to be chosen? Select TWO.
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D. E.Correct Answers: C and E.
Option A is incorrect.
The principle of “Grant Least Privilege” suggests providing least & granular access to any User for accessing AWS services.
This will help enhance security of the system and prevent users from performing malicious / accidental tasks within the AWS environment that may compromise the system.
Option B is incorrect.
It's always best to see what kind of access the user requires.
If a user does not use the Command Line Interface (CLI), it's best to avoid giving him access to Access Keys.
SImilarly, if an user only uses the CLI for development, he should be prohibited from accessing the AWS admin console using a password.
Option C is CORRECT.
Roles provide temporary access to AWS services & they dont require to share the Access Keys.
A role that is created may be assigned a definite set of permissions for accessing different services.
The service that uses the role actually assumes the role with which it can perform actions on another service.
This way, we can induce granular permissions as well as prevent long lived Access Keys from being compromised.
Option D is incorrect.
Cross account access are scenarios where users in one Account would like to access services of other Accounts.
Eg An user may use AWS Partner solutions to interact with a Customer's Account for monitoring it or do some orchestration.
Access keys are long lived credentials for which the AWS Partner must ensure to manage those keys by rotating them frequently to avoid them from being compromised.
Roles defined with temporary access permissions when given to the user for accessing the Customer's account will be a best practice here without having to provide Access keys.
Option E is CORRECT.
Root accounts that are created should have their Access Keys locked to prevent compromising them.
Root Accounts have complete Access Privileges to access different AWS resources.
The best practice will be to create an IAM User, Assign required permissions & login as that user for accessing AWS services.
Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.htmlWhen managing users and their permissions within AWS, it is recommended to follow best practices to ensure security and proper access control. Here are the two best IAM practices to choose:
C. Within AWS, services should use roles for accessing other services: AWS provides an IAM feature called "roles," which enables services to access other services. When a role is created, permissions can be granted to the role instead of assigning permissions to individual users. Roles can be assumed by users, services, or AWS resources, allowing them to access the resources that the role has been granted permissions for. This practice ensures that users and services only have access to the specific resources they need, and permissions can be easily modified or revoked as necessary.
E. While creating an AWS Account, it's best to create an IAM user and use that Account: When creating an AWS account, it is recommended to create an IAM user with a strong password and use that user to perform daily tasks, rather than using the root account. The root account has full access to all resources and should only be used for account management tasks. By creating an IAM user, you can assign specific permissions to that user, making it easier to manage access control and security. Additionally, using an IAM user allows you to easily revoke access to a user when they leave the organization, without affecting the root account.
The other answer choices are not recommended IAM practices:
A. An IAM user should be given default access to all services for being able to develop & deliver applications quickly: Giving a user default access to all services is not recommended since it can create security risks, and it is unnecessary for most users. Instead, it is recommended to grant users access to only the services and resources they need to perform their job functions.
B. Users should be provided both Passwords & Access keys within the AWS environment: Providing both passwords and access keys is not recommended since access keys should be used for programmatic access only, and not shared with users. Instead, users should be provided with a username and password to access the AWS Management Console, and access keys should be restricted to only those users who need them.
D. For cross-account access, it is best to share the Access Keys when one Account needs to access services of another Account: Sharing access keys between accounts is not recommended since it can create security risks. Instead, cross-account access should be granted using IAM roles or AWS Security Token Service (STS) to ensure that users and services have the appropriate level of access to the resources they need.
