All articles in
Identity and Access Management
AWS Users
Security in the cloud starts with Identity and Access Management as it is the foundation for any secure computing environment. In this article, we will discuss AWS users. In AWS, a user as a form of an identity can take the following two forms- Root user and IAM user.
Root User
The Root User is the super admin user that gets automatically created as part of the AWS account sign up process. AWS asks for the root email address and password during the account creation process. Due to the nature of the Root user being the single identity with which you start your AWS account, this user has complete access to all AWS services and by design there is no way to reduce the permissions applied to this user.
IAM Users
So, we have learned that the root user is extremely powerful and its credentials must be carefully safeguarded, and should not be used for day-to-day activities. Then, which user is to be used for day-to-day activities- yes, the answer is the IAM user. The IAM user can have scoped down privileges to exactly match what is needed to perform the job duties of the impersonating user or service. This is made possible by assigning IAM policies with specific permissions to the IAM user.
Access Keys
An easy way of impersonating these users to access AWS APIs is by signing in to the AWS console using username and password. While the username/password for AWS root user is created as part of the account sign-up process, the one for AWS IAM user is created by the Root user or any other IAM user with relevant permissions from the AWS IAM dashboard. The password used is based on a default password policy but can be and should be updated based on the password requirements of your business.
The other way to impersonate these users and an important one to be mindful of from a security perspective is via AWS Access keys. Access keys are kind of like the username-password combo but their two elements are called – access key id (similar to username) and secret access key (similar to password), and these are auto-generated by AWS for the relevant user on your request. The productivity relevance of these keys is that they can be used to access AWS APIs from the command-line or from a non-AWS application. And the security relevance of these keys is that they are permanent credentials i.e. they don’t have an expiry date and can last forever unless deactivated and deleted.
Credentials Report
Finally, an important feature to keep in mind with AWS Users is the AWS Credentials Report which can be downloaded from the AWS IAM console, and contains a list of all AWS users including Root. Along with the users, it also contains the status of all the credentials for that user including passwords, access keys, MFAs, etc. This report can be used by auditors as evidence for compliance to credential management requirements.
Lab Demo
Ok, enough with the text, some screen share time. In the below lab walk through, we will login to AWS and see the key differences between Root user and IAM user and how to access them via AWS access keys. We will also look at the Password policy for IAM and the Credentials Report.
Security tidbits
Summary of security best practices to keep in mind regarding AWS users:
AWS Users
Security tidbits
- Do not use the root user for day-to-day activities as it has complete access to all AWS services
- IAM users are attached to long-term credentials and so they must only be impersonated by a single user to solve for a key security issue of non-repudiation (assurance that someone cannot deny making an action using the IAM user)
- AWS access keys and user passwords are to be rotated on a recurring basis
- Create a strict password policy per your organizational requirements in the IAM section
- Regularly audit the AWS users and their compliance to credential management policies using the AWS Credentials report