Securing IAM - Best Practices Recommended by AWS, Azure, and GCP

By Sabrina Lupșan
Wednesday, May 11, 2022
Securing IAM - Best Practices Recommended by AWS, Azure, and GCP

After we've described the IAM implementations for AWS, GCP, and Azure, let's look at some of the best practices they recommend and how to check if your cloud environment is implementing them. 

With Cyscale, you can efficiently scan your cloud infrastructure and verify whether it follows the best practices that we're going to describe in this article. 

Enable Multi-Factor Authentication (MFA) 

Multi-Factor Authentication is a form of authenticating where the user needs to provide at least two different credentials of different types.  

They should be of the following: 

  • What you know (example: a password) 
  • What you have (example: a smart card) 
  • What you are (example: a fingerprint) 

A prevalent scenario of MFA is using a password and a code received on your phone to log in. This example combines "What you know" with "What you have".  

Here are some of the controls implemented in Cyscale that check if MFA is configured for your cloud environment: 

  • Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password for AWS Cloud 
  • Ensure that multi-factor authentication is enabled for all privileged users for Microsoft Azure 
  • Ensure that multi-factor authentication is enabled for all non-privileged users for Microsoft Azure 

Rotate credentials and keys regularly 

This best practice is recommended across all vendors and should be implemented in your cloud infrastructure.  

This method helps minimize the impact if a key or a set of credentials is breached. 

In the case of credentials, passwords should be changed with new, different ones. 

When rotating keys, the old ones should be retired, and new keys should be generated. 

We suggest that you rotate your keys and credentials at least every 90 days. 

Some examples of controls offered by Cyscale that check if credentials or keys are rotated regularly are: 

  • Ensure access keys are rotated every 90 days or less for AWS Cloud 
  • Ensure API keys are rotated every 90 days for Google Cloud Platform 
  • Ensure IAM password policy expires passwords within 90 days or less for AWS Cloud 

Comply with The Principle of Least Privilege 

Conforming to The Principle of Lease Privilege is another essential best practice instilled in cloud security and recommended by the vendors we've discussed.  

In order to comply with this concept, you need to restrict access to the lowest privilege every user needs and eliminate all administrator and root accounts that are not strictly necessary. 

AWS recommends that you start setting up your policies with a minimum of possible permissions and add more on the go, if necessary. 

Make sure you're not missing anything when implementing the concept of least privilege by using controls offered by Cyscale that detect misconfigurations, like the ones below: 

  • Ensure that ServiceAccount has no Admin privileges for Google Cloud Platform 
  • Eliminate use of the "root" user for administrative and daily tasks for AWS Cloud 

Assign permissions at group level  

Another best practice we recommend to ensure IAM Cloud Security is managing permissions at group level and not at the user level. 

Whenever you're adding a new user or trying to manage multiple users, assign them to a group with very well-defined rules and privileges. 

Here are some controls from Cyscale that check if you're implementing this best practice: 

  • Ensure IAM Users receive permissions only through Groups for AWS Cloud 
  • Ensure IAM Policies are attached only to groups or roles for AWS Cloud 

Implement logging and monitoring 

AWS, GCP, and Azure recommend that you implement logging and monitoring for your cloud environment. All three vendors provide these features.  

For AWS, you can use one of the following services: 

  • AWS CloudTrail 
  • Amazon CloudFront 
  • Amazon CloudWatch 
  • AWS Config 
  • Amazon S3 

GCP supplies Cloud Audit Logs, a service that audits your IAM policy, access to service account keys, and other components of GCP. 

For Azure, you can use Azure AD activity logs which can be supplemented by Azure Monitor logs to alert you on significant events. 

Examples of controls provided by Cyscale can be seen below: 

  • Ensure CloudTrail trails are integrated with CloudWatch Logs for AWS Cloud 
  • Ensure that Diagnostic Logs are enabled for all services which support it for Microsoft Azure 
  • Ensure that Cloud Audit Logging is configured properly across all services and all users from a project for Google Cloud Platform 

  

Identity and Access Management is a crucial component of the cloud and should be adequately secured to prevent data breaches and other cybersecurity incidents. 

Use Cyscale to identify any misconfigurations or gaps in your cloud infrastructure and secure it with our over 400 controls. 

Interesting? Share it

Stay connected

Receive new blog posts and product updates from Cyscale

Product Playground

View a fully-populated product demo. All features - no setup, no commitment.

Schedule a Demo

Sign up for a custom demo to see how we close security gaps and help you move to the cloud.

Request a Demo >
Cloud Data Security For AWS: An In-Depth Guide
CSPMThursday, September 29, 2022

Cloud Data Security For AWS: An In-Depth Guide

By Sabrina Lupșan
Understanding S3 Bucket Security – A Contextual Approach
CSPMFriday, September 16, 2022

Understanding S3 Bucket Security – A Contextual Approach

By Sabrina Lupșan
HIPAA Compliance in the Cloud
ComplianceMonday, September 12, 2022

HIPAA Compliance in the Cloud

By Sabrina Lupșan
Cyscale Logo
Cyscale helps companies embrace their digital future by protecting apps and data in the cloud. With the innovative Security Knowledge Graph™ at its core, Cyscale helps you easily track security and compliance across your multi-cloud environment.

Stay connected

Receive new blog posts and product updates from Cyscale

By clicking Subscribe, I agree to Cyscale’s Privacy Policy


© 2022 Cyscale Limited

crunch base icon
angel icon