4 Policies and procedures for secure access

 

This chapter covers

  • Creating best practices to improve and evaluate your IAM configuration
  • Applying least privilege access control to reduce risk in the event of an attack
  • Evaluating credential expiration times to balance security and convenience
  • Reviewing IAM resources periodically to ensure your configuration is secure

As we saw in chapters 2 and 3, there are multiple ways to do the same thing in IAM. You can grant permissions directly to a user or have them applied through a group. You can write a policy inline on the user, or you can attach a managed policy. The last chapter explained how to do all of these things, but it didn’t explain when to do them. I wish I could say this chapter had the answer to when you should use each of the features of IAM. Unfortunately, it’s not that easy. There are trade-offs to every feature, and when you should use them largely depends on the needs of your organization. This chapter will help you create your own best practices for how and when to use different features of IAM.

4.1 Establishing best practices for IAM

4.1.1 Why create best practices?

4.1.2 Best practices example: MFA

4.1.3 Enforceable best practices

4.2 Applying least privilege access control

4.2.1 Why least privilege is hard

4.2.2 Policy wildcards

4.2.3 AWS managed policies

4.2.4 Shared permissions (groups and managed policies)

4.3 Choosing between short- and long-lived credentials

4.3.1 The risk of long-lived credentials

4.3.2 Trade-offs associated with credential rotation

4.3.3 A balance with IAM roles

4.4 Reviewing IAM permissions