2024/8/25 00:00 (JST) Anti-patterns from security best practices in AWS Identity and Access Management (AWS IAM) NRI Netcom, Ltd. Cloud Business Promotion Department Hayato Tan JAWS Pankration 2024

1 Copyright（C） NRI Netcom, Ltd. All rights reserved. Self-introduction ＆ Today’s topic 01 Anti-patterns from security best practices in AWS IAM 02 Summary, References & Appendix 05

2 Copyright（C） NRI Netcom, Ltd. All rights reserved. ◼ NRI Netcom, Ltd. Cloud Business Promotion Department, Cheif ◼ 2024 Japan AWS Ambassador（Associate Ambassador） ◼ 2024 Japan AWS Top Engineers（Security） ◼ AWS Community Builders（Security）since 2023 ◼ 2022 APN AWS Top Engineers（Service） ◼ AWS Certifications ⚫ 2024 Japan ALL AWS Certifications Engineers ◼ Japan ◼ 5 Children Hayato Tan Self-introduction ＆ Today’s topic

3 Copyright（C） NRI Netcom, Ltd. All rights reserved. Today’s Topic Self-introduction ＆ Today’s topic ◼What I'll be talking about today ⚫AWS IAM Security Best Practices/Anti-Patterns ◼What I won't talk about today ⚫AWS IAM Basics ⚫Details of other AWS services such as Amazon Elastic Compute Cloud (EC2) ⚫About AWS re:Inforce 2024 … 1billion API calls per second worldwide

4 Copyright（C） NRI Netcom, Ltd. All rights reserved. Related Terms Self-introduction ＆ Today’s topic ◼ Root Users A user with complete access to all AWS services and resources in an AWS account. ◼ AWS managed policies/Customer managed policies/Inline policies ⚫ AWS managed policies：Standalone policies created and managed by AWS ⚫ Customer managed policies：Self-managed policies that can be attached to principal entities (users, groups, roles) ⚫ Inline policies：A policy embedded in a single IAM identity (user, group, role) ◼ Permissions Boundary A function that allows you to set the scope of access permissions for IAM users and IAM roles. （Source：Permissions boundaries for IAM entities）https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html User

5 Copyright（C） NRI Netcom, Ltd. All rights reserved. Self-introduction ＆ Today’s topic 01 Anti-patterns from security best practices in AWS IAM 02 Summary, References & Appendix 05

6 Copyright（C） NRI Netcom, Ltd. All rights reserved. Is AWS IAM easy to manage? Anti-patterns from security best practices in AWS IAM A. No. It's difficult. • Increasing number of users • Operational errors caused by giving too many permissions • Restricting permissions too much slows down development speed • Information leakage due to leaked authentication information …etc. To address these issues, IAM user/group/policy management and, management of authentication information such as root users and access keys are required.

7 Copyright（C） NRI Netcom, Ltd. All rights reserved. Anti-patterns from security best practices in AWS IAM Anti-patterns from security best practices in AWS IAM The official AWS documentation summarizes security best practices for IAM. We will consider cases where best practices should not be applied, and finally organize anti-patterns. AWS IAM Security Best Practices（No.1~14） https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html Cases where AWS IAM security best practices are not being applied ８cases AWS IAM Security Anti-Patterns ６patterns

8 Copyright（C） NRI Netcom, Ltd. All rights reserved. AWS IAM Security Best Practices Anti-patterns from security best practices in AWS IAM The official AWS documentation summarizes security best practices for IAM. （Source：Security best practices in IAM） https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html No. AWS IAM Security Best Practices 1 Require human users to use federation with an identity provider to access AWS using temporary credentials 2 Require workloads to use temporary credentials with IAM roles to access AWS 3 Require multi-factor authentication (MFA) 4 Update access keys when needed for use cases that require long-term credentials 5 Follow best practices to protect your root user credentials 6 Apply least-privilege permissions 7 Get started with AWS managed policies and move toward least-privilege permissions 8 Use IAM Access Analyzer to generate least-privilege policies based on access activity 9 Regularly review and remove unused users, roles, permissions, policies, and credentials 10 Use conditions in IAM policies to further restrict access 11 Verify public and cross-account access to resources with IAM Access Analyzer 12 Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions 13 Establish permissions guardrails across multiple accounts 14 Use permissions boundaries to delegate permissions management within an account

9 Copyright（C） NRI Netcom, Ltd. All rights reserved. Consider cases where AWS IAM security best practices are not applied Anti-patterns from security best practices in AWS IAM Let's consider what to do if security best practices in IAM are not applied. No. AWS IAM Security Best Practices 1 Require use of federation with identity providers 2 Require IAM roles to use temporary credentials 3 Require multi-factor authentication (MFA) 4 Update your access keys whenever necessary 5 Follow best practices for securing your root user 6 Apply least-privilege permissions 7 Move towards least-privilege permissions 8 Generate least-privilege policies with IAM Access Analyzer 9 Regularly check for and remove unused credentials 10 Use conditions in IAM policies to further restrict access 11 Verify public and cross-account access 12 Verify IAM policies to ensure functional permissions 13 Establish guardrails for permissions 14 Using Permissions Boundaries No. Cases where AWS IAM security best practices are not being applied 1 (Federation with your identity provider may not be available) 2 Use only long-term credentials 3 Don‘t use multi-factor authentication (MFA) for IAM users 4 Don‘t rotate access keys 5 Not following best practices for securing the root user 6 Apply non-least privilege (unnecessary) permissions 7 Don‘t use AWS managed or customer managed policies 8 Generate an IAM policy with unnecessary permissions applied 9 Not periodically checking for unused credentials 10 Same as No.8 11 Don‘t check for public and cross-account access 12 （IAM policy validation may not be enforced） 13 （Guardrails for permissions may not be established） 14 （Permissions Boundaries may not be used）

10 Copyright（C） NRI Netcom, Ltd. All rights reserved. Cases where AWS IAM security best practices are not being applied Anti-patterns from security best practices in AWS IAM Here are some cases where IAM security best practices should not be applied. No. Cases where AWS IAM security best practices are not being applied 1 （Federation with your identity provider may not be available）※Omitted this time 2 Use only long-term credentials（Don‘t use IAM roles to delegate access between AWS accounts） 3 Don‘t use multi-factor authentication (MFA) for IAM users 4 Don‘t rotate access keys for use cases that require long-term credentials 5 Not following best practices for protecting root user credentials（Frequent use of root user, creation of access keys, failure to configure MFA, unauthorized use, etc.） 6 Apply non-least privilege (unnecessary) permissions 7 Don‘t use AWS managed or customer managed policies（Use only inline policies and only AWS managed policies） 8 Generate IAM policies that do not enforce least privilege (unnecessary) permissions（Similar to No.6）※Omitted this time 9 Not regularly reviewing (inventorying) unused users, roles, permissions, policies, and credentials 10 Same as No.8 ※Omitted this time 11 Don't use IAM Access Analyzer and don't check for public and cross-account access to resources 12 （IAM policy validation using IAM Access Analyzer may not be performed）※Omitted this time 13 （Guardrails for permissions may not be established (unmanaged)）※Omitted this time 14 （Permissions Boundaries may not be used）※Omitted this time

11 Copyright（C） NRI Netcom, Ltd. All rights reserved. Considering security anti-patterns in AWS IAM Anti-patterns from security best practices in AWS IAM Among the cases where security best practices in IAM are not applied, we have grouped similar cases together and excluded those that may not be used. No. Cases where AWS IAM security best practices are not being applied 1 （Federation with your identity provider may not be available）※Omitted this time 2 Use only long-term credentials（Don‘t use IAM roles to delegate access between AWS accounts） 3 Don‘t use multi-factor authentication (MFA) for IAM users 4 Don‘t rotate access keys for use cases that require long-term credentials 5 Not following best practices for protecting root user credentials（Frequent use of root user, creation of access keys, failure to configure MFA, unauthorized use, etc.） 6 Apply non-least privilege (unnecessary) permissions 7 Don‘t use AWS managed or customer managed policies（Use only inline policies and only AWS managed policies） 8 Generate IAM policies that do not enforce least privilege (unnecessary) permissions（Similar to No.6）※Omitted this time 9 Not regularly reviewing (inventorying) unused users, roles, permissions, policies, and credentials 10 Same as No.8 ※Omitted this time 11 Don't use IAM Access Analyzer and don't check for public and cross-account access to resources 12 （IAM policy validation using IAM Access Analyzer may not be performed）※Omitted this time 13 （Guardrails for permissions may not be established (unmanaged)）※Omitted this time 14 （Permissions Boundaries may not be used）※Omitted this time

12 Copyright（C） NRI Netcom, Ltd. All rights reserved. AWS IAM Security Anti-Patterns Anti-patterns from security best practices in AWS IAM We have categorized AWS IAM security anti-patterns into six patterns. First of all, make sure you don't commit security anti-patterns in AWS IAM! AWS IAM Security Anti-Patterns ① • Use only long-term credentials（Don‘t use IAM roles to delegate access between AWS accounts） • Don‘t rotate access keys for use cases that require long-term credentials ② • Don‘t use multi-factor authentication (MFA) for IAM users ③ • Not following best practices for protecting root user credentials（Frequent use of root user, creation of access keys, failure to configure MFA, unauthorized use, etc.） ④ • Apply non-least privilege (unnecessary) permissions • Don‘t use AWS managed or customer managed policies（Use only inline policies and only AWS managed policies） ⑤ • Not regularly reviewing (inventorying) unused users, roles, permissions, policies, and credentials ⑥ • Don't use IAM Access Analyzer and don't check for public and cross-account access to resources

13 Copyright（C） NRI Netcom, Ltd. All rights reserved. （Reference）Cases where AWS IAM security best practices are not being applied（No.1~3） Anti-patterns from security best practices in AWS IAM ◼ Require human users to use federation with an identity provider to access AWS using temporary credentials ➢ （Federation with your identity provider may not be available）※Omitted this time ◼ Require workloads to use temporary credentials with IAM roles to access AWS ➢ Use only long-term credentials（Don‘t use IAM roles to delegate access between AWS accounts） If you regularly use access keys (secret keys) instead of IAM roles to delegate access across AWS accounts, the access key information may be leaked and malicious third parties may use your authentication information. ◼ Require multi-factor authentication (MFA) ➢ Don‘t use multi-factor authentication (MFA) for IAM users If you don’t use MFA for IAM users, logging in to AWS will be authenticated by password only, which may lead to unauthorized access if your password is leaked to a third party. Danger Reference Danger

14 Copyright（C） NRI Netcom, Ltd. All rights reserved. （Reference）Cases where AWS IAM security best practices are not being applied（No.4~6） Anti-patterns from security best practices in AWS IAM ◼ Update access keys when needed for use cases that require long-term credentials ➢ Don‘t rotate access keys for use cases that require long-term credentials In principle, we recommend that you do not use access keys, but there are cases where access keys are used for access from applications, etc. In this case, if the access key is not updated, a third party may continue to use the authentication information if the access key is leaked. ◼ Follow best practices to protect your root user credentials ➢ Not following best practices for protecting root user credentials（Frequent use of root user, creation of access keys, failure to configure MFA, unauthorized use, etc.） Because the root user has administrative privileges, in principle, the privileges cannot be restricted. Frequent use of the root user, creating an access key for the root user, not configuring MFA, or using the root user without authorization can lead to the risk of information leakage for the root user. ◼ Apply least-privilege permissions ➢ Apply non-least privilege (unnecessary) permissions There is a risk that excessive permissions will be granted "because it is necessary," which could lead to operational mistakes. On the other hand, if you prohibit a function you want to use from the stance of "not using any function that seems even the slightest bit dangerous," you will not be able to perform necessary operations. Reference Danger

15 Copyright（C） NRI Netcom, Ltd. All rights reserved. （Reference）Cases where AWS IAM security best practices are not being applied（No.7~9） Anti-patterns from security best practices in AWS IAM ◼ Get started with AWS managed policies and move toward least-privilege permissions ➢ Don‘t use AWS managed or customer managed policies（Use only inline policies and only AWS managed policies） Using customer managed policies allows you to narrow down privileges to least privilege. If you only use inline policies that can be granted directly to IAM users, it can become difficult to manage as the number of users increases, and unnecessary permissions may remain. In addition, while the AWS managed policies provided by AWS are convenient, they do not enforce least privileges in accordance with the intended use of each account or user, so using only AWS managed policies will give unnecessary permissions to users. ◼ Use IAM Access Analyzer to generate least-privilege policies based on access activity ➢ Generate IAM policies that do not enforce least privilege (unnecessary) permissions（Similar to No.6） ※Omitted this time ◼ Regularly review and remove unused users, roles, permissions, policies, and credentials ➢ Not regularly reviewing (inventorying) unused users, roles, permissions, policies, and credentials If you do not take an inventory of IAM, there is a higher risk of authentication information being leaked by employees who have left the company or are no longer involved in the project, the misuse of unnecessary roles, and operational errors due to unnecessary access permissions and policies. Reference Danger

16 Copyright（C） NRI Netcom, Ltd. All rights reserved. （Reference）Cases where AWS IAM security best practices are not being applied（No.10~14） Anti-patterns from security best practices in AWS IAM ◼ Use conditions in IAM policies to further restrict access ➢ Same as No.8 ※Omitted this time ◼ Verify public and cross-account access to resources with IAM Access Analyzer ➢ Don't use IAM Access Analyzer and don't check for public and cross-account access to resources Public access and cross-account access require careful consideration because they can affect things outside your AWS account. If there is unintended public access or cross-account access to resources, they may be accessed unauthorizedly and information may be leaked. ◼ Use IAM Access Analyzer to validate your IAM policies to ensure secure and functional permissions ➢ （IAM policy validation using IAM Access Analyzer may not be performed）※Omitted this time ◼ Establish permissions guardrails across multiple accounts ➢ （Guardrails for permissions may not be established (unmanaged)）※Omitted this time ◼ Use permissions boundaries to delegate permissions management within an account ➢ （Permissions Boundaries may not be used）※Omitted this time Reference Danger

17 Copyright（C） NRI Netcom, Ltd. All rights reserved. Self-introduction ＆ Today’s topic 01 Anti-patterns from security best practices in AWS IAM 02 Summary, References & Appendix 05

18 Copyright（C） NRI Netcom, Ltd. All rights reserved. Summary Summary, References & Appendix ⚫Learn about AWS IAM security best practices →Consider cases where AWS IAM security best practices are not applied →Summarizing similar cases, there are six possible AWS IAM security anti-patterns. First of all, make sure you don't commit security anti-patterns in AWS IAM! AWS IAM Security Anti-Patterns ① • Use only long-term credentials（Don‘t use IAM roles to delegate access between AWS accounts） • Don‘t rotate access keys for use cases that require long-term credentials ② • Don‘t use multi-factor authentication (MFA) for IAM users ③ • Not following best practices for protecting root user credentials（Frequent use of root user, creation of access keys, failure to configure MFA, unauthorized use, etc.） ④ • Apply non-least privilege (unnecessary) permissions • Don‘t use AWS managed or customer managed policies（Use only inline policies and only AWS managed policies） ⑤ • Not regularly reviewing (inventorying) unused users, roles, permissions, policies, and credentials ⑥ • Don't use IAM Access Analyzer and don't check for public and cross-account access to resources

19 Copyright（C） NRI Netcom, Ltd. All rights reserved. References Summary, References & Appendix ◼ Best Practices in IAM ⚫ Security best practices in IAM https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html ⚫ Root user best practices for your AWS account https://docs.aws.amazon.com/IAM/latest/UserGuide/root-user-best-practices.html

20 Copyright（C） NRI Netcom, Ltd. All rights reserved. Appendix Summary, References & Appendix ◼dev.to ⚫ IAM: What happens when you assume a role? https://dev.to/aws-builders/iam-what-happens-when-you-assume-a-role-3o2 ⚫ AWS IAM CLI: a cheatsheet https://dev.to/aws-builders/aws-iam-cli-a-cheatsheet-3g7o ◼community.aws ⚫ Securely Access Resources with IAM Service Roles https://community.aws/content/2iCmBIvLS5GaQFui5o8BMHDSSpJ/practical-cloud-guide-securely- access-resources-with-iam-service-roles ⚫ Integrating AWS IAM Identity Center with Okta https://community.aws/content/2kEA3dE4EXBbZEpboNRmJnJbU1C/integrating-aws-iam-identity- center-with-okta

No content