mega-menu-burger mega-menu-close

AWS Cloud Security Best Practices: Identity and Access Management

The Blue Report 2023

Understand the 4 trade-offs that limit modern security teams to properly manage their organization’s threat exposure.


Cloud services have become an integral part of many IT infrastructures, and securing access to cloud services is central to safeguarding sensitive data and critical systems. As a major cloud service provider, Amazon Web Services uses its Identity and Access Management (IAM) service to provide the tools and mechanisms necessary to control who can access AWS resources and what actions they can perform. In the ever-growing cloud infrastructure, adhering to IAM best practices is not just a recommendation; it's a necessity. From protecting sensitive data to ensuring the principle of least privilege, IAM policies and configurations play a pivotal role in fortifying organizations' AWS environment against potential security breaches and unauthorized access.

In this blog post, we continue our blog series on AWS cloud security best practices and explain the best practices for AWS Identity and Access Management (IAM) service.

Validate Your Cloud Security Posture with The Picus Platform

Identity and Access Management Best Practices in AWS Cloud

Identity and Access Management (IAM) is a cornerstone of AWS security. Unlike traditional IT environments, users are only limited by their access rights to deploy or remove resources. IAM defines users' access rights to manage services, applications, databases, and other AWS assets. Moreover, IAM authenticates and authorizes users to access AWS resources. Identity and Access Management consists of the following components:

  • Users: Users represent individuals or entities (such as applications or services) that need access to AWS resources. Each user has a unique identity within the AWS account and can have associated IAM policies defining their permissions.

  • Groups: Groups are collections of IAM users. Organizations can assign common permissions to multiple users by associating users with groups. Groups simplify access management by applying policies to a set of users at once.

  • Roles: Roles are a fundamental component used to grant permissions and securely manage access to AWS resources. IAM roles are unique because they are not associated with specific IAM users or groups but are intended to be assumed by various AWS services, resources, or external entities. When a role is assumed, the specified user receives a temporary credential for the session.

  • Access Keys & Credentials: IAM users can have access keys (access key ID and secret access key) associated with their accounts. Access keys are used for programmatic access to AWS resources through APIs and command-line interfaces. Also, other credentials such as console passwords, SSH keys, or server certificates allow users to interact with the cloud infrastructure.

  • Policies: IAM policies are JSON documents that define what actions are allowed or denied on AWS resources. Policies can be attached to users, groups, or roles. They are the primary mechanism for specifying permissions within IAM. Policies can be managed and customized to grant fine-grained permissions.

In the event an adversary is able to compromise an AWS user with privileges, they can inflict significant damage to their victims' operations. Therefore, managing identities and access to resources is crucial for AWS security. Here are some of the vital best practices for AWS IAM.

Implement the principle of least privilege (PoLP)

As organizations' cloud infrastructures grow, users and services also increase exponentially.  Without proper permission management, organizations may lose track of granted permissions. Overly permissive policies are potential security risks that adversaries can abuse in cyber attack campaigns.

To address this challenge, organizations should implement the least privilege principle. The least privilege principle is a security best practice that states that users should only be granted the permissions they need to perform their job duties. This principle helps to reduce the risk of unauthorized access to data and resources.

Using roles, Groups, and Fine-Grained Permissions

When granting permissions, organizations should avoid giving permissions to individual users. Instead, permissions should be granted to groups. This approach allows organizations to maintain visibility on permissions easily and eliminates the need for constant changes to individual permissions.

AWS IAM also allows organizations to define roles and fine-grained permissions for users. IAM roles can be used to delegate permissions to users with temporary credentials, reducing the need for long-term access keys. Roles can be used for AWS services such as EC2 instances and Lambda functions, enabling them to interact securely with other AWS resources. Instead of defining broad permissions, organizations can define fine-grained permissions for AWS resources. These permissions grant users or services access to only specific AWS actions, such as read, write, and delete. This level of granular customization can provide great control over IAM permissions and help organizations manage them with less effort.

Avoid using root user 

The root user in AWS is the initial AWS account user that is created when an individual or organization signs up for AWS services. This user has the highest level of access and is granted full administrative privileges over the AWS account. The root user is unique because it is not subject to the same access controls and restrictions as other IAM users within the AWS account. Organizations should avoid using the root user for daily tasks because of its extensive privileges and capabilities. Root user should only be used in rare circumstances where it's required. Access to the root user should be secured with a very complex password and multi-factor authentication. Any access key created for the root user must also be secured with the highest priority.

It is best practice to create and use IAM users with appropriately scoped permissions for day-to-day operations and administration tasks. IAM users can be assigned specific roles and policies tailored to their responsibilities, limiting their access to only what is necessary and adhering to the principle of least privilege. This approach enhances security and access control within an AWS account while reducing the risk associated with the use of the root user account.

Require complex passwords and multi-factor authentication (MFA)

Compromised user credentials are one of the most abused initial access vectors for AWS cloud environments. Organizations should implement robust password policies to defend their cloud infrastructure against cyber threat actors.

Organizations should set IAM to enforce a strong password policy that requires users to set complex passwords for their AWS accounts. An example complex password should have at least 14 characters with at least one uppercase and lowercase character, one number, and one symbol. The password should not be used in any other services to limit the risk of exposure. 

In addition to strong passwords, organizations must require users to enable multi-factor authentication (MFA) for their AWS accounts. No matter how complex a password is, the risk of compromise cannot be eliminated. Enabling MFA adds an extra layer of security for AWS accounts by requiring the use of a physical or virtual token.

IAM supports the automatic rotation of credentials, such as access keys and passwords, at regular intervals. Rotating credentials reduces the risk of unauthorized access due to compromised or stale credentials. Organizations may set this feature to expire passwords and access keys every 60 or 90 days. 

Picus Cloud Security Validation 

As organizations continue to migrate their workloads to the cloud, the need for automated cloud security posture management becomes more prominent. Picus Cloud Security Validation enables you to address cloud security issues before a breach happens. It allows security teams to audit their essential AWS services, identify misconfigured IAM policies, and validate their gaps with simulated attacks. Picus also provides actionable insights to help you address misconfigurations in your AWS environment. Reports and dashboards provided by Picus Cloud Security Validation enable you to track improvements to your cloud security posture and share results.


Amazon Web Services (AWS) continues to grow as a major cloud service provider, and many organizations increasingly use cloud services to run their operations. However, being in the cloud does not eliminate cyber security risks, and organizations are still responsible for ensuring the security of their business. Organizations are advised to follow the principle of least privilege (PoLP), fine-tune permissions, and enforce strict password policies.