Identity and Access Management (IAM) security is crucial in maintaining the security of cloud services. However, managing IAM can be challenging and risky, leading to overburdened IT and cloud security engineers, delayed engineering, release velocity, or overly permissive configurations. AltorCloud provides a solution to maintain proper IAM security with a few simple IAM checks. AltorCloud IAM checks are based on cloud IAM security best practices in various categories, such as root account security, key and credential rotation, password hygiene, admin/ops specifications, roles and groups, privilege escalation, logs, and alerts.
Maintaining proper, consistent Identity and Access Management (IAM) in the cloud is an uphill task and a constant risk. Engineers are often expected to oversee this, even though they may need to learn what the specific access should look like for their application. In most cases, a single (often overburdened) cloud engineer is overwhelmed with an insurmountable amount of custom policy development. In the worst-case scenario, overly permissive configurations could result in an event like the Capital One hack in 2019. This does not have to be the case. Development and security teams can work with just a few simple AltorCloud IAM checks. You'll also get remediation steps for each check we list below if your environment fails that check.
The AltorCloud IAM checks are based on cloud IAM Security best practices in these categories:
• Root Account Security
• Key and Credential Rotation
• Password Hygiene
• Admin/Ops Specifications
• Roles and Groups
• Privilege Escalation
• Logs and Alerts
Root Account Security
AWS recommends treating your root user access key "like you would your credit card numbers or any other sensitive secrets." You only want it to set up your admin account, and then you can delegate permissions using roles and groups. These checks allow you to see if/when the root account has been accessed, ensure MFA is enabled, and control root account access keys, including:
• If the root account has been accessed (and if so, how recently)
• If a root account access key is present
• If the root account has MFA enabled
• If hardware MFA for the root account is enabled (this is helpful for some specific regulations that require hardware MFA)
• Whether or not MFA is enabled for all IAM users with console passwords (If someone has a console password and disabled MFA, they are listed in the output.)
• Did any IAM users with root privileges receive access keys during the initial user setup?
Rotation of Keys and Credentials
AltorCloud recommends rotating access keys every 90 days and deactivating credentials that have been inactive for 90 days or more. These checks confirm those timelines and an additional one for those who prefer a shorter time frame.
• Disable credentials that have been inactive for 90 days or more.
• Make certain that access keys are rotated every 90 days or less.
• Disable credentials that have been inactive for 30 days or more.
Password Maintenance
Password policing is a pain, and if you use SAML, you won't have to worry about it (though having these checks properly configured is still good practice)! If you're using a CSP IAM as a user and password database, these checks make it easy to see if something slipped through the cracks.
This set examines:
• At least one capital letter
• A minimum of one lowercase letter
• Include at least one symbol
• At least one digit
• Minimum length of 14 characters or more
• Reusing passwords (up to 24 previous passwords)
• The expiration date is 90 days or less.
Admin/Ops Specifics
Keep current who, where, and what information if something goes wrong. This set includes critical details such as:
• Whether or not security questions are set up in the AWS account
• Keeping contact email and phone numbers for AWS accounts up to date (and map to more than one individual in your organization)
• Registering your security team's contact information
• Ensuring the creation of a support role to manage incidents with AWS Support.
Users, Roles, and Groups