Security best practices in IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

Security best practices in IAM

The Amazon Identity and Access Management best practices were updated on July 14, 2022.

To help secure your Amazon resources, follow these best practices for Amazon Identity and Access Management (IAM) .

Require human users to use federation with an identity provider to access Amazon using temporary credentials

Human users, also known as human identities, are the people, administrators, developers, operators, and consumers of your applications. They must have an identity to access your Amazon environments and applications. Human users that are members of your organization are also known as workforce identities. Human users can also be external users with whom you collaborate, and who interact with your Amazon resources. They can do this via a web browser, client application, mobile app, or interactive command-line tools.

Require your human users to use temporary credentials when accessing Amazon. You can use an identity provider for your human users to provide federated access to Amazon accounts by assuming roles, which provide temporary credentials. For centralized access management, we recommend that you use Amazon IAM Identity Center (successor to Amazon Single Sign-On) (IAM Identity Center) to manage access to your accounts and permissions within those accounts. You can manage your user identities with IAM Identity Center, or manage access permissions for user identities in IAM Identity Center from an external identity provider. For more information, see What is Amazon IAM Identity Center (successor to Amazon Single Sign-On) in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.

For more information about roles, see Roles terms and concepts.

Require workloads to use temporary credentials with IAM roles to access Amazon

A workload is a collection of resources and code that delivers business value, such as an application or backend process. Your workload can have applications, operational tools, and components that require an identity to make requests to Amazon Web Services, such as requests to read data. These identities include machines running in your Amazon environments, such as Amazon EC2 instances or Amazon Lambda functions.

You can also manage machine identities for external parties who need access. To give access to machine identities, you can use IAM roles. IAM roles have specific permissions and provide a way to access Amazon by relying on temporary security credentials with a role session. Additionally, you might have machines outside of Amazon that need access to your Amazon environments. For machines that run outside of Amazon you can use Amazon Identity and Access Management Roles Anywhere. For more information about roles, see IAM roles. For details about how to use roles to delegate access across Amazon Web Services accounts, see IAM tutorial: Delegate access across Amazon accounts using IAM roles.

Require multi-factor authentication (MFA)

We recommend using IAM roles for human users and workloads that access your Amazon resources so that they use temporary credentials. However, for scenarios in which you need IAM or root users in your account, require MFA for additional security. With MFA, users have a device that generates a response to an authentication challenge. Each user's credentials and device-generated response are required to complete the sign-in process. For more information, see Using multi-factor authentication (MFA) in Amazon.

If you use IAM Identity Center for centralized access management for human users, you can use the IAM Identity Center MFA capabilities when your identity source is configured with the IAM Identity Center identity store, Amazon Managed Microsoft AD, or AD Connector. For more information about MFA in IAM Identity Center see Multi-factor authentication in the Amazon IAM Identity Center (successor to Amazon Single Sign-On) User Guide.

Rotate access keys regularly for use cases that require long-term credentials

Where possible, we recommend relying on temporary credentials instead of creating long-term credentials such as access keys. However, for scenarios in which you need IAM users with programmatic access and long-term credentials, we recommend that you rotate access keys. Regularly rotating long-term credentials helps you familiarize yourself with the process. This is useful in case you are ever in a situation where you must rotate credentials, such as when an employee leaves your company. We recommend that you use IAM access last used information to rotate and remove access keys safely. For more information, see Rotating access keys.

There are specific use cases that require long-term credentials with IAM users in Amazon. Some of the use cases include the following:

  • Programmatic use cases that cannot use IAM roles – You might run code from a location that needs to access Amazon. In some situations, you can't use IAM roles to provide temporary credentials, such as for WordPress plugins. In these situations, use IAM user long-term access keys for that code to authenticate to Amazon.

  • Third-party Amazon clients – If you are using tools that don’t support access with IAM Identity Center, such as third-party Amazon clients or vendors that are not hosted on Amazon, use IAM user long-term access keys.

  • Amazon CodeCommit access – If you are using CodeCommit to store your code, you can use an IAM user with either SSH keys or service-specific credentials for CodeCommit to authenticate to your repositories. We recommend that you do this in addition to using a user in IAM Identity Center for normal authentication. Users in IAM Identity Center are the people in your workforce who need access to your Amazon accounts or to your cloud applications. To give users access to your CodeCommit repositories without configuring IAM users, you can configure the git-remote-codecommit utility. For more information about IAM and CodeCommit, see Using IAM with CodeCommit: Git credentials, SSH keys, and Amazon access keys. For more information about configuring the git-remote-codecommit utility, see Connecting to Amazon CodeCommit repositories with rotating credentials in the Amazon CodeCommit User Guide.

  • Amazon Keyspaces (for Apache Cassandra) access – In a situation where you are unable to use users in IAM Identity Center, such as for testing purposes for Cassandra compatibility, you can use an IAM user with service-specific credentials to authenticate with Amazon Keyspaces. Users in IAM Identity Center are the people in your workforce who need access to your Amazon accounts or to your cloud applications. You can also connect to Amazon Keyspaces using temporary credentials. For more information, see Using temporary credentials to connect to Amazon Keyspaces using an IAM role and the SigV4 plugin in the Amazon Keyspaces (for Apache Cassandra) Developer Guide.

Safeguard your root user credentials and don't use them for everyday tasks

When you create an Amazon Web Services account you establish a root user name and password to sign in to the Amazon Web Services Management Console. Safeguard your root user credentials the same way you would protect other sensitive personal information. You can do this by configuring MFA for your root user credentials. We don't recommend generating access keys for your root user, because they allow full access to all your resources for all Amazon Web Services, including your billing information. Don’t use your root user for everyday tasks. Use the root user to complete the tasks that only the root user can perform. For the complete list of these tasks, see Tasks that require root user credentials in the Amazon General Reference. For more information, see Best practices to protect your account's root user in the Amazon Account Management User Guide.

Apply least-privilege permissions

When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions. You might start with broad permissions while you explore the permissions that are required for your workload or use case. As your use case matures, you can work to reduce the permissions that you grant to work toward least privilege. For more information about using IAM to apply permissions, see Policies and permissions in IAM.

Get started with Amazon managed policies and move toward least-privilege permissions

To get started granting permissions to your users and workloads, use the Amazon managed policies that grant permissions for many common use cases. They are available in your Amazon Web Services account. Keep in mind that Amazon managed policies might not grant least-privilege permissions for your specific use cases because they are available for use by all Amazon customers. As a result, we recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases. For more information, see Amazon managed policies. For more information about Amazon managed policies that are designed for specific job functions, see Amazon managed policies for job functions.

Use IAM Access Analyzer to generate least-privilege policies based on access activity

To grant only the permissions required to perform a task, you can generate policies based on your access activity that is logged in Amazon CloudTrail. IAM Access Analyzer analyzes the services and actions that your IAM roles use, and then generates a fine-grained policy that you can use. After you test each generated policy, you can deploy the policy to your production environment. This ensures that you grant only the required permissions to your workloads. For more information about policy generation, see IAM Access Analyzer policy generation.

Regularly review and remove unused users, roles, permissions, policies, and credentials

You might have IAM users, roles, permissions, policies, or credentials that you no longer need in your Amazon Web Services account. IAM provides last accessed information to help you identify the users, roles, permissions, policies, and credentials that you no longer need so that you can remove them. This helps you reduce the number of users, roles, permissions, policies, and credentials that you have to monitor. You can also use this information to refine your IAM policies to better adhere to least-privilege permissions. For more information, see Refining permissions in Amazon using last accessed information.

Use conditions in IAM policies to further restrict access

You can specify conditions under which a policy statement is in effect. That way, you can grant access to actions and resources, but only if the access request meets specific conditions. For example, you can write a policy condition to specify that all requests must be sent using SSL. You can also use conditions to grant access to service actions, but only if they are used through a specific Amazon Web Service, such as Amazon CloudFormation. For more information, see IAM JSON policy elements: Condition.

Verify public and cross-account access to resources with IAM Access Analyzer

Before you grant permissions for public or cross-account access in Amazon, we recommend that you verify if such access is required. You can use IAM Access Analyzer to help you preview and analyze public and cross-account access for supported resource types. You do this by reviewing the findings that IAM Access Analyzer generates. These findings help you verify that your resource access controls grant the access that you expect. Additionally, as you update public and cross-account permissions, you can verify the effect of your changes before deploying new access controls to your resources. IAM Access Analyzer also monitors supported resource types continuously and generates a finding for resources that allow public or cross-account access. For more information, see Previewing access with IAM Access Analyzer APIs.

Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions

Validate the policies you create to ensure that they adhere to the IAM policy language (JSON) and IAM best practices. You can validate your policies by using IAM Access Analyzer policy validation. IAM Access Analyzer provides more than 100 policy checks and actionable recommendations to help you author secure and functional policies. As you author new policies or edit existing policies in the console, IAM Access Analyzer provides recommendations to help you refine and validate your policies before you save them. Additionally, we recommend that you review and validate all of your existing policies. For more information, see IAM Access Analyzer policy validation. For more information about policy checks provided by IAM Access Analyzer, see IAM Access Analyzer policy check reference.

Establish permissions guardrails across multiple accounts

As you scale your workloads, separate them by using multiple accounts that are managed with Amazon Organizations. We recommend that you use Organizations service control policies (SCPs) to establish permissions guardrails to control access for all IAM users and roles across your accounts. SCPs are a type of organization policy that you can use to manage permissions in your organization at the Amazon organization, OU, or account level. The permissions guardrails that you establish apply to all users and roles within the covered accounts. However, SCPs alone are insufficient to grant permissions to the accounts in your organization. To do this, your administrator must attach identity-based or resource-based policies to IAM users, IAM roles, or the resources in your accounts. For more information, see Amazon Organizations, accounts, and IAM guardrails.

Use permissions boundaries to delegate permissions management within an account

In some scenarios, you might want to delegate permissions management within an account to others. For example, you could allow developers to create and manage roles for their workloads. When you delegate permissions to others, use permissions boundaries to set the maximum permissions that you delegate. A permissions boundary is an advanced feature for using a managed policy to set the maximum permissions that an identity-based policy can grant to an IAM role. A permissions boundary does not grant permissions on its own. For more information, see Permissions boundaries for IAM entities.