To recap, in the first article I covered what steps you needed to take to increase security on your root account. As a follow on to that, I want to move into a more complex topic – IAM policies and users. I’m not looking to try and teach you how to create IAM policies in this post, AWS has plenty of guides on achieving that. The aim for this post is to make you aware of them and have a high level understanding of them.
IAM stands for Identity and Access Management, its AWSs service for creating and managing users, groups and permissions within the context of an AWS account. As a general rule the objects you create, are specific to that account. The exception to the objects being specific to accounts, is IAM delegation and federation capabilities. IAM delegation and federation exists to provide account access into any external or additional AWS accounts you have. The accounts might exist either in another AWS account, or they might exist in an external directory that is SAML 2.0 compliant, such as Active Directory (AD) with Active Directory Federation Services (ADFS). As an aside, there’s an AWS blog post about configuring AD with ADFS for AWS integration, which you can read here.
As a general rule I try to avoid using delegation and/or federation, as it creates unnecessary complexity and can potentially weaken your security posture if not properly configured. In the case of delegation, there is too much scope for an accidental action as a result of being confused about which account is currently active. This isn’t to say that it is without merit, it’s just not suitable for smaller environments. [Read more…]