AWS Expands Credential Lifecycle Management and Monitoring
AWS Identity and Access Management (IAM) recently expanded available password policy rules to enable self-service password rotation. A new credential report provides visibility into the AWS credentials security status. AWS also added logging of AWS Management Console sign-in events to AWS CloudTrail.
IAM is a web service that enables AWS customers to manage roles, groups, users and IAM permissions to securely control access to AWS services and resources. Existing IAM password policies have provided options to enforce password complexity rules, but lacked features like mandatory password rotation as demanded by many IT departments and required for compliance with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.
Administrators can now set mandatory password rotation periods ranging from one day to three years:
- users are notified starting 15 days before their passwords expire
- users cannot login without resetting their password once it has expired
- users can optionally be forced to contact an administrator once their password expires
- users can be prevented from reusing up to 24 preceding passwords
IAM also added support for the common password creation workflow, where administrators assign users an initial custom or auto-generated password and optionally require them to create a new one at next sign-in.
In addition, IAM now offers a credential report that contains necessary information to audit the AWS security credentials status of IAM users and the effects of credential lifecycle policies, such as password rotation. The CSV formatted file can be downloaded interactively or programmatically and generated as often as every four hours.
AWS CloudTrail also enabled additional auditing capabilities and can log AWS Management Console sign-in events whenever an account owner or IAM user signs into the console directly, or a federated user via single sign-on (SSO). As previously covered, CloudTrail records all API calls made in an AWS account and stores the resulting log files in an Amazon S3 bucket for reuse by other applications.
The following sign-in activities by IAM and federated users are now also leaving an event trail:
- every successful sign-in
- every unsuccessful sign-in attempt
- verification of when multi-factor authentication (MFA) was enforced
- the IP address of every sign-in event
Successful root account sign-in events are recorded as well, though unsuccessful ones are not. AWS strongly recommends not to use AWS root account access keys anymore but to create individual IAM users instead:
By creating individual IAM users for people accessing your account, you can give each IAM user a unique set of security credentials. You can also grant different permissions to each IAM user. If necessary, you can change or revoke an IAM user’s permissions any time. (If you give out your AWS root credentials, it can be difficult to revoke them.)
The IAM Documentation features dedicated sections concerning management of the various types of credentials (passwords, access keys, MFA, and certificates) and logging of IAM events with AWS CloudTrail, including examples of the JSON formatted log events. Guidance on IAM best practices is also available. Support is provided via the Identity and Access Management and CloudTrail forums.
Camille Fournier May 21, 2015