IAM Best Practices and Security Audit

This final lesson brings together everything we have covered and provides a comprehensive set of best practices for IAM security, along with tools and techniques for auditing your AWS environment.

---

IAM Best Practices Checklist

1. Protect the Root User

The root user has unrestricted access to everything in your account. Treat it like the master key to a building:

• Enable MFA on the root user immediately after account creation.
• Do not create access keys for the root user.
• Never use the root user for day-to-day tasks.
• Use a strong, unique password and store it in a secure password manager.
• Set up account-level alternative contacts (billing, operations, security) so the root email is not needed for routine communications.

2. Create Individual IAM Users

Every person who needs access to your AWS account should have their own IAM user. This ensures:

• Accountability — CloudTrail logs show exactly who performed each action.
• Credential independence — disabling one user does not affect others.
• Tailored permissions — each user gets only what they need.

3. Use Groups for Permissions

Attach policies to groups rather than individual users. This simplifies management and ensures consistency.

4. Apply Least Privilege

Grant only the permissions needed for each role. Start with no permissions and add as required, using specific actions and scoped resources.

5. Enable MFA Everywhere

Enable MFA for all users with console access. Use MFA conditions in policies for sensitive operations.

6. Use Roles for Applications

Never embed access keys in application code. Use IAM roles for EC2 instances, Lambda functions, ECS tasks, and any other compute service.

7. Rotate Credentials Regularly

• Access keys: Rotate every 90 days. Use the credential report to identify old keys.
• Passwords: Enforce rotation through password policies.
• Secrets: Use Secrets Manager for automatic rotation.

8. Use Strong Password Policies

Configure an account-wide password policy:

aws iam update-account-password-policy \
  --minimum-password-length 14 \
  --require-symbols \
  --require-numbers \
  --require-uppercase-characters \
  --require-lowercase-characters \
  --max-password-age 90 \
  --password-reuse-prevention 24

9. Remove Unused Credentials

Regularly review and remove:

• IAM users who have not signed in for 90+ days
• Access keys that have not been used for 90+ days
• MFA devices that are no longer in use

10. Use Policy Conditions

Add conditions to policies to restrict access by IP address, region, time of day, MFA status, or tags.

---

Security Auditing Tools

AWS provides a comprehensive set of tools for auditing IAM security:

IAM Credential Report

A downloadable CSV report listing every IAM user and their credential status:

aws iam generate-credential-report
aws iam get-credential-report --output text --query Content | base64 --decode > report.csv

The report includes:

• User creation date
• Password enabled and last used
• Access key status, creation date, last used, and last rotated
• MFA enabled status

Review this report at least monthly.

IAM Access Analyzer

Access Analyzer continuously monitors your resource-based policies and identifies resources shared with external entities. It can also:

• Generate policies based on actual usage patterns from CloudTrail logs.
• Validate policies against best practices before deployment.
• Detect unused access — identify permissions that have been granted but never used.

AWS CloudTrail

CloudTrail records every API call made in your account. For IAM auditing:

• Who signed in and when — ConsoleLogin events.
• What actions were performed — every API call is logged.
• Which credentials were used — access key IDs and role session names.
• Whether MFA was used — included in the sign-in event.

Enable CloudTrail in all regions and store logs in a protected S3 bucket with versioning and MFA delete enabled.

AWS Config

AWS Config evaluates your resources against rules. Relevant IAM rules include: