This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask the community

AWS Best Practices: IAM Policies and Password Policies

jhwong
Moderator
Moderator
‎07-28-2021 09:57 PM

Continuing our blog series on AWS Best Practices, we've published two additional blogs looking at real-world AWS environments and practices around IAM policies and password policies, along with easy steps you can take to reduce. Our findings include:

- 4% of IAM policies grant full admin privileges

- 47%-67% of IAM users are using inline or directly attached policies

- 73% of account password policies have password length < 14 characters

- 80% of IAM user accounts have a password reuse setting < 24 times

 

Here are some concrete steps that can be taken to reduce risk related to IAM Policies and Password Policies:

  1. Create IAM Policies and roles with only the minimum privileges necessary. 
  1. Inline policies should be replaced with managed roles that are centrally managed.
  1. IAM Policies should be attached to groups or roles, instead of users.
  1. Customize your AWS Password Policy and do not use the default.
  2. Increase the password length to at least 14, and set the password reuse to 24.
  3. Especially for larger environments, using a federated identity system or by isolating all IAM Users in one account and granting cross-role access, will allow centralized management of user accounts and password policies.

Along with our prior blog posts on root account security  and IAM User security, these latest blog posts round out our look at IAM Best Practices for AWS. In the near future, we'll be publishing additional blogs around AWS best practices around networking, storage, and logging.

 

What are your thoughts on the following?

  • Do you have adequate visibility into your AWS environment configurations? If so, what tools are you using?
  • Are compliance/configuration check frameworks (e.g. CIS Benchmarks) useful for your compliance efforts? Security/risk reduction efforts?
  • Do you have metrics and KPIs that help you measure progress over time?
  • What can Netskope do better to assist in your efforts?

We'd love to hear about your experiences with locking down IAM and how we can help at Netskope.

 

 

0 Likes
Subscribe
Labels

Popular Articles

Here are some of the popular articles from this blog.

cover-image

By mferguson

Netskope Administration for Departing Users View More
cover-image

By Bharath-Murali

Introducing the new "Notification Portal" !!! View More

In order to view this content, you will need to sign in to your account. Simply click the "Sign In" button below

Sign In