Key AWS IAM Considerations

Providing the right permissions for your IAM roles will significantly reduce the risk of unauthorized access to your AWS resources and services. Many organizations uncover IAM policies that are too permissive right before an audit or when there’s a breach with the firm.

Here are a few key AWS IAM roles / policy takeaways that every firm should factor before even creating one.

1. Define and Standardize IAM personas to grant least privileged access. Two frequently used personas across many companies are human roles (DevOps, Support,Release etc.) and non-human roles (lambda and most of the serverless services)
2. Deploy and manage IAM roles via a centralized AWS account versus deploying them from separate accounts
3. Review IAM policy for any duplicate or invalid actions before deploying an IAM role through the centralized account
4. IAM roles especially human roles should not have elevated privileges or cross application access
5. Identity unused actions within IAM policies and clean up IAM policies periodically
6. Most of the EC2 instances and lambda functions or any serverless service that assume non-human IAM roles should continuously be monitored for any elevated actions that the role is not supposed to perform
7. Standardize and enforce tagging on all AWS resources.As most of the IAM policies can restrict access based of AWS resource tags. It is very important to tag the resources within our AWS accounts
8. Create and monitor security controls that are important to maintain compliance within AWS workloads. Here are a few vendors that provide cloud compliance services