Study case analysis
In this lab, we are to identify security requirements of IAM in a scenario where an organization runs a static website on Amazon S3 and a DNS service with Route 53.
In a broad perspective, the assets on the scenario would possibly be the static website HTML itself and the database that might be included in the website. The DNS server might be considered asset as well but it is in the cloud environment and run by AWS so it is not an asset that the customer might have to maintain physically.
With the available assets in this case, there would not be much need to have too much users. But with static website, supposedly, there is not much user input (which most of the time the cause of security issues) and crucial information included in the website. Thus, according to AWS security best practice (2016), it will come down to 2 options which are:
- 1 AWS account with centralized management. There will only be 1 account to be responsible to everything including management and development.
- 3 AWS account for separation of duties which include management, developments and testing.
Though these might be some possible common strategies that might be implemented, in this case, 1 AWS account would be much more suitable as it would seem to be a small scaled project. All production would be centralized in one account which only runs 2 services. However, IAM users and groups will be created to differentiate level of access on different accounts.
Users, Groups and Policies
Looking at the assets, the work pipeline would need to have accesses for administrator management, development and DNS management. Thus, 4 groups would be best to be created with different permissions to different services in AWS. These 4 groups will be:
- IAM_Admin group would have the highest privilege for managing IAM users
- Super_Admin group would have read and write access to Amazon S3 and Route 53
- Developer_Admin would have read and write access to Amazon S3 for management of the web files in the S3 bucket. In addition to that, a read access to Route 53 would also be provided.
- Network_Admin would have read and write access to Route 53 for management of the DNS server. A read access to Amazon S3 bucket would also be allowed for this group.
There will be each one user assigned to each group. Each users will have its own credentials and access according to the policies attached to the groups. There would be possibility where a group only for Website_Admin to be created that only has the ability to manage the website development.
Additional IAM security measures
A common mistake found is using root access to manage administration in AWS. For best practice, Super_Admin group is created to give almost the same privilege as root with less security risk. According to IAM best practice (n.d.), the root account key should be regularly changed. And of course, for these administration privileged accounts, passwords should have a strong structure.
For best pratice, all identities are granted least privilege. This means that every users, groups, roles or resources only have access to the resources that they need which means by default are denied in everything else. As you can see, these are implemeneted in the Developer_Admin which only has read access to Route 53 and DNS_Admin which only has read access to Amazon S3.
Multi-factor authentication is an crucial part of securing accounts. As described by ZDNet (2020), 99.9% of compromised accounts are not equipped with multi-factor authentication. Thus, having to set up MFA for the AWS account is a crucial security requirements for every user.
Password rotation for all users should be advised. This ensures that the security level of the credentials are kept safe.
Critical Thinking
The description above provides a security design for IAM users and groups in an AWS cloud environment. However, there are still several issues considered in hosting a static website. Though it may get out of context in this scenario, the information provided would be better practice with the addition of some resources and services.
By only using Amazon S3, it host the website through HTTP. For a more secure communication, it would be recommended to use CloudFront for an HTTPS connection. CloudFront would be able to redirect Amazon S3 HTTP to HTTPS.
Reference
AWS Security Best Practices. (2016). https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf
Hosting Static Websites on AWS. (2019). https://d0.awsstatic.com/whitepapers/Building%20Static%20Websites%20on%20AWS.pdf
IAM Best Practices—AWS Identity and Access Management. (n.d.). Retrieved March 21, 2020, from https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
Microsoft: 99.9% of compromised accounts did not use multi-factor authentication | ZDNet. (2020). Retrieved March 21, 2020, from https://www.zdnet.com/article/microsoft-99-9-of-compromised-accounts-did-not-use-multi-factor-authentication/
Marcellus's Blog 