Continuing our blog series on AWS Best Practices, we've published two additional blogs looking at real-world AWS environments and practices around IAM policies and password policies, along with easy steps you can take to reduce. Our findings include:
- 4% of IAM policies grant full admin privileges
- 47%-67% of IAM users are using inline or directly attached policies
- 73% of account password policies have password length < 14 characters
- 80% of IAM user accounts have a password reuse setting < 24 times
Here are some concrete steps that can be taken to reduce risk related to IAM Policies and Password Policies:
Create IAM Policies and roles with only the minimum privileges necessary.
Inline policies should be replaced with managed roles that are centrally managed.
IAM Policies should be attached to groups or roles, instead of users.
Customize your AWS Password Policy and do not use the default.
Increase the password length to at least 14, and set the password reuse to 24.
Especially for larger environments, using a federated identity system or by isolating all IAM Users in one account and granting cross-role access, will allow centralized management of user accounts and password policies.
Along with our prior blog posts on root account security and IAM User security, these latest blog posts round out our look at IAM Best Practices for AWS. In the near future, we'll be publishing additional blogs around AWS best practices around networking, storage, and logging.
What are your thoughts on the following?
Do you have adequate visibility into your AWS environment configurations? If so, what tools are you using?
Are compliance/configuration check frameworks (e.g. CIS Benchmarks) useful for your compliance efforts? Security/risk reduction efforts?
Do you have metrics and KPIs that help you measure progress over time?
What can Netskope do better to assist in your efforts?
We'd love to hear about your experiences with locking down IAM and how we can help at Netskope.