IAM Account Strategies

AWS IAM account audit checklist - DigitalCloudAdvisor

We know that when it comes to your Account strategies, it can become a bit overwhelming, that’s why we are here to help.

At DigitalCloudAdvisor, we implemented the following IAM Account strategy for a medium-sized company in the United Kingdom.

One of the key challenges for the customer was managing access to their resources in a secure, compliant, and scalable way.

To address this challenge, we implemented a hierarchical IAM structure on AWS. This structure is composed of the following elements:

  • AWS accounts: Each customer has a root account that manages all other accounts in the organization.
  • Organizational units (OUs): OUs are used to group accounts by department, region, or other criteria.
  • IAM roles: Roles are used to assign permissions to users, groups, and AWS services.

In addition to the hierarchical structure, we also implemented the following access control mechanisms:

  • RBAC (Role-Based Access Control): RBAC controls resource access based on the user’s role. It is best suited for scenarios where access is granted based on a user’s job function or responsibilities.
  • ABAC (Attribute-based access control): ABAC controls access to resources based on the user’s attributes, such as location, device type, or other factors. It is best suited for scenarios where access is granted based on a user’s context.
  • PBAC (Policy-Based Access Control): PBAC is used to control access to resources based on a set of predefined policies. It is best suited for scenarios where access is granted based on a user’s compliance with a set of predefined rules.

Background

Identity and Access Management (IAM) is a critical component of any cloud-based infrastructure, as it enables organizations to control who has access to their resources and what actions they can perform. AWS IAM provides a flexible and secure way for organisations to manage access to their AWS resources, such as Amazon S3 buckets, Amazon EC2 instances, and Amazon RDS DB instances.

Method

To implement IAM for our customers, we followed a structured approach that involved the following steps:

  1. Requirement gathering: We worked with the customer to understand their business requirements and use cases for access control.
  2. Hierarchical structure design: We designed a hierarchical IAM structure that met the customer’s needs.
  3. Role creation and assignment: We created IAM roles and assigned them to users, groups, and AWS services.
  4. Access control implementation: We implemented Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) mechanisms to control access to resources.
  5. Security enhancements: We configured Multi-Factor Authentication (MFA) for all privileged users to increase security.
  6. Monitoring and recording: We implemented AWS Config to monitor and record changes to the IAM structure.

Results

As a result of these efforts, the customer was able to securely and scalable manage access to their resources on AWS. They could also comply with their regulatory requirements and improve their overall security posture.

  1. The hierarchical structure allowed customers to easily manage access to their resources based on their organisational structure.
  2. The use of RBAC, ABAC, and PBAC enabled the customer to control access to resources based on the role of the user, their attributes, and predefined policies.
  3. The implementation of MFA and AWS Config ensured the security of the customer’s resources and the recording of all changes to the IAM structure for compliance purposes.

The customer wanted a way to automate the process while staying stringent on security practices, so in addition to the steps previously mentioned, we also took the following steps to automate the IAM implementation process:

  1. We used AWS CloudFormation to automate creating and managing IAM resources such as users, groups, and roles. This allowed us to quickly and easily provision IAM resources and consistently and repeatedly change them.
  2. We used AWS Lambda and Step Functions to automate the provisioning of IAM roles and permissions based on predefined policies. This enabled us to automatically grant or revoke resource access based on specific events or conditions.
  3. We used AWS Secrets Manager to automate the management of access keys and secrets for IAM users and roles. This allowed us to automatically rotate access keys and secrets regularly, improving security and reducing the risk of unauthorised access.
  4. We integrated AWS IAM with AWS Single Sign-On (SSO) to automate the process of authenticating users and granting them access to resources. This allowed us to use existing identity stores, such as Active Directory or OKTA, to authenticate users and automatically provision IAM roles and permissions based on their role in the organisation.
  5. We set up AWS Config rules to monitor and alert us to any changes to the IAM structure. This allows us to quickly detect and respond to any configuration drift.

Automating the IAM implementation process significantly reduced the time and effort required to provision and manage IAM resources. This also helped ensure that the customer’s resources were secure and that all changes to the IAM structure were recorded for compliance purposes. This automation also helped improve the customer’s security posture and meet regulatory requirements.

In conclusion, implementing IAM on AWS is a critical step for organisations looking to secure and manage access to their resources in the cloud. We implement a hierarchical IAM structure on AWS that includes Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Policy-Based Access Control (PBAC) mechanisms.

We also added security enhancements like MFA and monitoring and recording mechanisms using AWS Config. We automated the process using AWS CloudFormation, Lambda, Step Functions, Secrets Manager, SSO and Config rules. As a result of these efforts, the customer was able to securely and scalable manage access to their resources on AWS, comply with their regulatory requirements and improve their overall security posture. This shows that with proper planning and execution, IAM can be implemented effectively on AWS to provide a secure and compliant environment for the organisation’s resources.

RBAC (Role-Based Access Control)

RBAC is a method of controlling access to resources or operations within an IT system based on the roles of users within an organization. Users are assigned specific roles, and each role is associated with a set of permissions that define what the users in that role are allowed to do within the system. This allows for a more granular and flexible approach to managing access than other methods, such as access control lists or permissions that are assigned directly to individual users.

ABAC (Attribute-based access control)

ABAC is a method of controlling access to resources or operations within an IT system based on a set of attributes or characteristics associated with the user and the resource in question. These attributes can include things like the user’s role, location, or clearance level, as well as the resource’s sensitivity or classification. Access is granted or denied based on the evaluation of policies, which are sets of rules that define the conditions under which access should be granted or denied based on the attributes of the user and resource. ABAC is considered more flexible than role-based access control (RBAC) because it allows for more fine-grained access control based on a wide range of attributes.

PBAC (Policy-Based Access Control)

PBAC is a method of controlling access to resources or operations within an IT system based on the evaluation of policies. These policies are sets of rules that define the conditions under which access should be granted or denied based on various attributes of the user, resource and context of the access request. PBAC allows for more fine-grained access control than other methods, such as role-based access control (RBAC) or access control lists (ACLs), by providing the ability to express complex and dynamic access control decisions. PBAC can be used in conjunction with other access control methods, such as ABAC (Attribute-based access control) and RBAC, to provide a more comprehensive security mechanism.

AWS Config

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. It continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of

recorded configurations against desired configurations.

AWS Config can be used to:

  • Track changes to the configuration of resources over time
  • Evaluate the current compliance of resources against internal policies or regulatory standards
  • Receive notifications when resources are created, deleted, or changed
  • Automate the process of remediating non-compliant resources

AWS Config supports multiple resource types, including EC2 instances, RDS instances, S3 Buckets, Lambda functions, and IAM policies. It provides a detailed view of your resources’ configuration and allows you to drill down to specific configuration items, such as security groups or IAM policies.

AWS Config can be integrated with other AWS services, such as AWS Lambda and AWS Step Functions, to automate remediating non-compliant resources. It can also be integrated with AWS Systems Manager and AWS CloudFormation to automate provisioning and managing resources.

AWS Config is a powerful tool for monitoring, auditing, and managing the configuration of your AWS resources. It can help you to improve your security posture, comply with regulatory requirements, and reduce the risk of configuration drift.

Article wrriten by:

Empowering Autism: A Unique Solution on AWS

Empowering Autism: An Innovative Solution on AWS

Autism Spectrum Disorder (ASD) is a complex neurodevelopmental condition that affects individuals in myriad ways, offering a distinctive lens[…]

Empowering ADHD people - A Smart AWS Communication Architecture

Empowering ADHD Users with AI: A Smart Architecture for Seamless Communication

Imagine a person with ADHD telling a story, constantly interrupted by their thoughts, struggling to concentrate and stay on[…]

Terraform as Code AWS DigitalCloudAdvisor

Leveraging Terraform for Infrastructure as Code: A Case Study

At DigitalCloudAdvisor, we harness the power of Terraform, an open-source infrastructure as code (IaC) tool, to assist our clients[…]