BT

AWS Expands Credential Lifecycle Management and Monitoring

by Steffen Opel on Jul 29, 2014 |

AWS Identity and Access Management (IAM) recently expanded available password policy rules to enable self-service password rotation. A new credential report provides visibility into the AWS credentials security status. AWS also added logging of AWS Management Console sign-in events to AWS CloudTrail.

IAM is a web service that enables AWS customers to manage roles, groups, users and IAM permissions to securely control access to AWS services and resources. Existing IAM password policies have provided options to enforce password complexity rules, but lacked features like mandatory password rotation as demanded by many IT departments and required for compliance with security standards such as PCI DSS v2.0, ISO 27001, and FedRAMP.

Administrators can now set mandatory password rotation periods ranging from one day to three years:

  • users are notified starting 15 days before their passwords expire
  • users cannot login without resetting their password once it has expired
  • users can optionally be forced to contact an administrator once their password expires
  • users can be prevented from reusing up to 24 preceding passwords

IAM password policy dialog

IAM also added support for the common password creation workflow, where administrators assign users an initial custom or auto-generated password and optionally require them to create a new one at next sign-in.

In addition, IAM now offers a credential report that contains necessary information to audit the AWS security credentials status of IAM users and the effects of credential lifecycle policies, such as password rotation. The CSV formatted file can be downloaded interactively or programmatically and generated as often as every four hours.

AWS CloudTrail also enabled additional auditing capabilities and can log AWS Management Console sign-in events whenever an account owner or IAM user signs into the console directly, or a federated user via single sign-on (SSO). As previously covered, CloudTrail records all API calls made in an AWS account and stores the resulting log files in an Amazon S3 bucket for reuse by other applications.

The following sign-in activities by IAM and federated users are now also leaving an event trail:

  • every successful sign-in
  • every unsuccessful sign-in attempt
  • verification of when multi-factor authentication (MFA) was enforced
  • the IP address of every sign-in event

Successful root account sign-in events are recorded as well, though unsuccessful ones are not. AWS strongly recommends not to use AWS root account access keys anymore but to create individual IAM users instead:

By creating individual IAM users for people accessing your account, you can give each IAM user a unique set of security credentials. You can also grant different permissions to each IAM user. If necessary, you can change or revoke an IAM user’s permissions any time. (If you give out your AWS root credentials, it can be difficult to revoke them.)

The IAM Documentation features dedicated sections concerning management of the various types of credentials (passwords, access keys, MFA, and certificates) and logging of IAM events with AWS CloudTrail, including examples of the JSON formatted log events. Guidance on IAM best practices is also available. Support is provided via the Identity and Access Management and CloudTrail forums.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT