Identity and Access Management
Identity and access management are important parts of an information security program, ensuring that only authorized and authenticated users access cloud resources, and only in a manner intended. For example, policies applied to users, groups, services and roles allow implementation of strong credential management. These privilege-management elements form the core of authentication and authorization.
There are several different approaches to consider when addressing identity and access management:
- Protecting cloud credentials
- Fine-grained authorization
Protecting Cloud Credentials
The careful management of access credentials is the foundation of securing resources in the cloud. Every interaction made with a cloud provider is authenticated, so establishing appropriate credential management practices and patterns allows users to tie the use of cloud services to the developers lifecycle and ensure that only the appropriate parties are allowed to act.
The master account identity has access to all cloud services and resources in that account. Use the master identity to establish less-privileged users and role-based access using the Identity and Access Management (IAM) service. However, this initial account (known as the root user) isn’t intended for everyday tasks, and these credentials must be carefully protected using multi-factor authentication (MFA), and by deleting any access keys upon completion of the initial account setup.
For the root user, the best practice is only using this login to create another, initial set of IAM users and groups for longer-term identity management operations. These privileged IAM users – carefully monitored and constrained – are used to assume roles in the account or other accounts. Devek is able to create an established trust with existing identity providers using federation (via SAML 2.0 or web identities) already tied to the organization. Using federation reduces the need to create users in IAM while leveraging the existing identities, credentials, and role-based access already established in the organization.
Apply appropriate policies for all IAM users, enforcing the use of strong authentication. Set a password policy that requires a minimum length and complexity for passwords associated with IAM users. Set a mandatory rotation policy requiring IAM users to change their passwords at regular intervals. Requires the use of MFA for all IAM users with passwords permitting access to the cloud management console.
IAM users often require access to cloud API&quos;s directly from command-line tools (CLI), or by using software development kits (SDK). In these cases, where federation might not be practical, an access key ID and secret access is issued and used in place of, or in addition to, a password. IAM roles are used to grant permission; in this case, with permissions granted on the role. The IAM user assumes that role with enforcement of MFA. These credentials must be carefully protected and exchanged for temporary credentials whenever possible. Take extra care to avoid storing access and secret keys in improperly secured locations or inadvertently committing them to source code repositories.
Establishing a principle of least privilege ensures that authenticated identities are only permitted to perform the most minimal set of functions necessary to fulfill a specific task, while balancing usability and efficiency. Operating on this principle limits the blast radius - or potential impact - of inappropriate use of valid credentials. The principle of least privilege allows enforcement of separation of duties for oversight and governance, and makes auditing the entitlements to cloud resources much simpler.
Define roles and responsibilities for users and applications interacting with cloud services, and implement fine-grained authorization for enforcement of these roles.
Fine-grained authorization is implemented using IAM roles and policies. A role is an IAM
principal assumed by a user or another service, and is assigned temporary credentials scoped to a limited set of permissions. IAM policies are documents that formally state one or more permissions. Policies are attached to users, groups, and roles to create a very robust access management framework.
Join Devek in reducing Cloud complexity
Looking to reduce complexity of cloud infrastructure? Look no further, we are here to make it happen!
Please leave some details and we will get back to you when Devek is available for trying out.