- Newest
- Most votes
- Most comments
The use of credentials is not a recommended approach by AWS; the action that is always recommended is the use of IAM Roles because they are an identity that can be created in AWS IAM and have permissions assigned to them directly or via IAM policies. However, unlike users, an IAM Role does not have a password, as it is assumed at runtime. In this way, I have outlined some steps for you to follow that will greatly enhance your security posture:
- Replace all long-term credentials with IAM Roles using the principle of Least Privilege.
- Require human users to use federation with an identity provider to access AWS using temporary credentials.
- Require multi-factor authentication (MFA).
- Use IAM Access Analyzer. You can get more details and delve into the steps I mentioned above through these links: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#bp-users-federation-idp https://aws.amazon.com/pt/iam/resources/best-practices/
However, I understand that this will be a time-consuming activity, and you may need a quicker solution. Therefore, a temporary solution you can use while implementing the above steps is to add an additional condition, using the OR logic, in your policies allowing access to the aws:ViaAWSService key, allowing access either via your VPN’s IPs OR via AWS services (you can check about this key in this link: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-viaawsservice). But again, I emphasize that this is only a temporary solution that, while functional, is not as secure as the one I initially mentioned.
Relevant content
- asked a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago