Ensuring proper, consistent Identity and Access Management (IAM) in AWS is both a toil-heavy chore and a persistent risk. Often, engineers are expected to be responsible for this when they may or may not know what the specific access should look like for their application. In other cases, a lone (and typically overwhelmed) cloud security expert is saddled with an insurmountable amount of custom policy development, which can significantly slow down engineering and product release velocity. In the worst case scenario, overly permissive configurations can lead to an event like the Capital One hack in 2019.
It doesn’t have to be this way. You can have development velocity and security working in lockstep with just a few easy Prowler IAM checks. (If you’re not familiar with Prowler, check out our first post in this series.) For each check we list below, you’ll also get remediation steps to help if your environment fails that check.
The Prowler IAM checks fall into roughly 5 groupings that are based off the AWS IAM Security best practices:
- Root Account Protections
- Key and Credential Rotation
- Password Hygiene
- Admin/Ops Details
- Roles and Groups
- Privilege Escalation
- Logs and Alerts
Root Account Protections
AWS recommends that you treat your root user access key “like you would your credit card numbers or any other sensitive secrets.” You only want it to set up your admin account, and then you want to use roles and groups to delegate permissions. This set of checks helps you see if/when the root account has been accessed, ensure MFA is enabled, and control access keys for the root account, including:
- If the root account has been accessed (and if so, how recently)
- If a root account access key exists
- If MFA is enabled for the root account
- If hardware MFA is enabled for the root account (this is helpful for some specific regulations that require hardware MFA)
- Whether MFA is enabled for all IAM users that have a console password (If someone has a console password and disabled MFA, they are listed in the output.)
- Did any IAM users with root access get access keys during initial user setup
Key and Credential Rotation
AWS recommends rotating access keys every 90 days, and disabling credentials that are unused for 90 days or greater. These checks confirm those timelines, plus an extra one for those that prefer a shorter window.
- Ensure credentials unused for 90 days or greater are disabled
- Ensure access keys are rotated every 90 days or less
- Ensure credentials unused for 30 days or greater are disabled
Password Hygiene
Policing passwords is no fun, and if you use SAML you don’t have to worry about this (but having these checks properly set up is still a good practice)! If you are using AWS IAM as a user and password database, these checks make it simple to see if something snuck through that shouldn’t have. This set checks for:
- At least one uppercase letter
- At least one lowercase letter
- At least one symbol
- At least one number
- Minimum length of 14 or greater
- Password reuse (up to 24 previous passwords)
- Expiration window is 90 days or less
Admin/Ops Details
Keep your who, where, what details up to date in case something goes wrong. This set covers important details like:
- Whether security questions are registered in the AWS account
- Ensuring that contact email and telephone details for AWS accounts are current (and map to more than one individual in your organization)
- Registering the contact information for your security team
- Ensuring that a support role has been created to manage incidents with AWS Support
Users, Roles, and Groups
By default, IAM users, groups, and roles have no access to AWS resources. IAM policies are the means by which privileges are granted to users, groups, or roles. AWS recommends that IAM policies be applied directly to groups and roles but not users. Assigning privileges at the group or role level reduces the complexity of access management as the number of users grows. Reducing access management complexity may in turn reduce the opportunity for a user to inadvertently receive or retain excessive privileges. This set verifies that:
- IAM policies are attached only to groups or roles
- IAM instance roles are used for AWS resource access from instances
- Users in groups with AdministratorAccess policy have MFA tokens enabled
- No custom IAM policies exist which allow permissive role assumption (e.g. sts:AssumeRole on *)
- Whether IAM users have two active access keys
- If IAM users have Hardware MFA enabled
- If there are SAML Providers (Without a designated SAML provider, users with AWS CLI or AWS API access can use IAM static credentials. SAML helps users assume the proper role by default each time they authenticate.)
Privilege Escalation
We made a special category for this, because it’s something that can catch you off guard in really nasty ways. Essentially, users with some IAM permissions may be allowed to elevate their privileges up to administrator rights. It’s critical to know if you have any of those privileges lurking in your infrastructure that an attacker could potentially exploit, from things like creating a new version of an IAM policy, to making a new EC2 instance and gaining access to all the permissions that the associated instance profile/service role has, or creating a new user access key that could grant them full administrator access (and a bunch more bad things that stem from privilege escalation).
- IAM policies which allow full “*:*” administrative privileges are not created
- Customer Managed IAM policies don’t allow actions that may lead into Privilege Escalation
Logs and Alerts
Root account logins, unauthorized API calls, and policy changes or auth failures could all be simple mistakes or signs of malicious activity. Either way, find out as soon as possible with this set of checks that makes sure log metric filters and alarms exist for:
- Unauthorized API calls
- Management Console sign-in without MFA
- Usage of root account
- IAM policy changes
- AWS Management Console authentication failures
This is the tip of the Prowler iceberg, which has over 240 checks for comprehensive coverage of all your AWS use cases. Stay tuned for our next post in this series, which covers key Prowler checks for preventing ransomware attacks.
Sign up for Prowler Training
This free course covers everything from the history of Prowler to advanced features.
Toni de la Fuente
Founder of Prowler Open Source & Lead of Prowler Pro
I’m founder of Prowler Open Source, tool for AWS security best practices. I also worked for AWS as security engineer and security consultant. I’m passionate about FLOSS (Free Libre Open Source Software) in general and Information Security, Incident Response and Digital Forensics in particular. I like everything related to cloud computing and automation. I have done some things for security and the Open Source community like Prowler, phpRADmin, Nagios plugin for Alfresco, Alfresco BART (backup tool). I’ve also contributed in books and courses related to Linux, Monitoring and AWS Security for PacktPublishing.