Continuous AWS IAM Security Best Practices
March 15, 2021
There are some great guides on the internet for AWS Security best practices (both official and unofficial). However, one of the challenges we saw with those guides is that they tell you what the end goal is, but they usually leave it up to the user on how to implement it (at scale), let alone how to continuously monitor those best practices to make sure all your hard work doesn’t go through the window.
In this blog post we will go through the official security IAM best practices, and we'll show how to validate and monitor them using SQL statements with CloudQuery.
You can run all the following commands on a single AWS account. You can also run them on multiple accounts in parallel, using an account that can assume-role into all your other relevant accounts.
To be able to run the following tutorial you need to install and configure CloudQuery.
In this section, we will share snippets of SQL statements, most of which you can find in our aws//cis_v1.2.0 policy (opens in a new tab). You can also use this as a reference to create your own policies, which can be customized to your needs and the security policies of your organization.
One best practice in AWS is to enable MFA (on your root account) and create an IAM admin user to handle all your day-to-day work immediately after you open an account. List root accounts that were accessed in the last 30 days:
SELECT account_id, arn, password_last_used, user_name FROM aws_iam_users WHERE user_name = '<root_account>' AND password_last_used > (now() - '30 days'::interval)
Also, it is strongly advised not to create any access keys for the root account. To list root accounts with access keys:
select * from aws_iam_users JOIN aws_iam_user_access_keys keys on aws_iam_users.id = keys.user_id WHERE user_name = '<root>'
Instead of attaching IAM policies to users it is advised to attach IAM policies to groups and roles, and then to assign the groups and roles to users. To list accounts with IAM policies attached directly:
SELECT aws_iam_users.account_id, arn, user_name FROM aws_iam_users JOIN aws_iam_user_attached_policies policies on aws_iam_users.id = policies.user_id
Creating and reviewing IAM policies with least privilege in mind is a big topic on its own. We will cover this in a follow-up post!
If you allow users to change their own password, then creating a password policy is highly recommended. This snippet is taken from AWS CIS benchmark. It provides a good example of a strong password policy and offers a way to check that it is enabled in all accounts.
- name: "AWS CIS 1.5 Ensure IAM password policy requires at least one uppercase letter" query: > SELECT account_id, require_uppercase_characters FROM aws_iam_password_policies WHERE require_uppercase_characters = FALSE - name: "AWS CIS 1.6 Ensure IAM password policy requires at least one lowercase letter" query: > SELECT account_id, require_lowercase_characters FROM aws_iam_password_policies WHERE require_lowercase_characters = FALSE - name: "AWS CIS 1.7 Ensure IAM password policy requires at least one symbol" query: > SELECT account_id, require_symbols FROM aws_iam_password_policies WHERE require_symbols = FALSE - name: "AWS CIS 1.8 Ensure IAM password policy requires at least one number" query: > SELECT account_id, require_numbers FROM aws_iam_password_policies WHERE require_numbers = FALSE - name: "AWS CIS 1.9 Ensure IAM password policy requires minimum length of 14 or greater" query: > SELECT account_id, minimum_password_length FROM aws_iam_password_policies WHERE minimum_password_length < 14 - name: "AWS CIS 1.10 Ensure IAM password policy prevents password reuse" query: > SELECT account_id, password_reuse_prevention FROM aws_iam_password_policies WHERE password_reuse_prevention is NULL or password_reuse_prevention > 24 - name: "AWS CIS 1.11 Ensure IAM password policy expires passwords within 90 days or less" query: > SELECT account_id, max_password_age FROM aws_iam_password_policies WHERE max_password_age is NULL or max_password_age < 90
AWS recommends that MFA be enabled for the root account, as well as any other privileged IAM users. To list all accounts with MFA disabled:
SELECT account_id, arn, password_last_used, user_name, mfa_active FROM aws_iam_users WHERE NOT mfa_active
For example, if you only want to alert on specific accounts, you can add a list of accounts to the SQL statements. Or you can go even further by joining on the permissions table and alerting on accounts with specific permissions that do not have MFA enabled.
To list all access keys that weren’t rotated in the last 90 days you can run the following:
SELECT aws_iam_users.account_id, aws_iam_users.arn AS user_arn, aws_iam_users.user_name, aws_iam_user_access_keys.access_key_id, MAX(last_rotated) FROM aws_iam_users JOIN aws_iam_user_access_keys on aws_iam_users.id = aws_iam_user_access_keys.user_id WHERE last_rotated < (now() - '90 days'::interval) GROUP BY aws_iam_users.account_id, aws_iam_users.arn, aws_iam_users.user_name, aws_iam_user_access_keys.access_key_id;
To list all IAM access keys that haven’t been used for more than 90 days:
SELECT aws_iam_users.account_id, aws_iam_users.arn AS user_arn, aws_iam_users.user_name, aws_iam_user_access_keys.access_key_id, MAX(last_used) FROM aws_iam_users JOIN aws_iam_user_access_keys on aws_iam_users.id = aws_iam_user_access_keys.user_id WHERE last_used < (now() - '90 days'::interval) GROUP BY aws_iam_users.account_id, aws_iam_users.arn, aws_iam_users.user_name, aws_iam_user_access_keys.access_key_id;
We implemented many compliance SQL queries that you can check out here.
These SQL queries will create an
aws_policy_results table that you can then query.
Stay tuned for more blogs on cloud security, compliance and other cool stuff!