Slide 15
Slide 15 text
14
Copyright(C) NRI Netcom, Ltd. All rights reserved.
(Reference)Cases where AWS IAM security best practices are not being
applied(No.4~6)
Anti-patterns from security best practices in AWS IAM
◼ Update access keys when needed for use cases that require long-term credentials
➢ Don‘t rotate access keys for use cases that require long-term credentials
In principle, we recommend that you do not use access keys, but there are cases where access keys are used for
access from applications, etc. In this case, if the access key is not updated, a third party may continue to use the
authentication information if the access key is leaked.
◼ Follow best practices to protect your root user credentials
➢ Not following best practices for protecting root user credentials(Frequent use of root user, creation of
access keys, failure to configure MFA, unauthorized use, etc.)
Because the root user has administrative privileges, in principle, the privileges cannot be restricted. Frequent use
of the root user, creating an access key for the root user, not configuring MFA, or using the root user without
authorization can lead to the risk of information leakage for the root user.
◼ Apply least-privilege permissions
➢ Apply non-least privilege (unnecessary) permissions
There is a risk that excessive permissions will be granted "because it is necessary," which could lead to
operational mistakes.
On the other hand, if you prohibit a function you want to use from the stance of "not using any function that
seems even the slightest bit dangerous," you will not be able to perform necessary operations.
Reference
Danger