Profile Applicability:

  • Level 2

Description:
AWS Identity and Access Management (IAM) allows users and applications to assume roles and obtain temporary security credentials instead of using long-term access keys. Temporary credentials reduce the risk of credentials being compromised, as they are short-lived and automatically expire after a defined period. Enforcing the use of IAM roles for authentication enhances security by following the principle of least privilege and minimizing exposure to long-term credentials.

Rationale:
Using temporary credentials instead of static IAM user credentials minimizes the risk of credential leakage and unauthorized access. Temporary credentials are automatically rotated and expire after a predefined duration, reducing the attack surface for compromised credentials. IAM roles also allow for fine-grained access control, ensuring users and applications only have the necessary permissions required for their tasks.

Impact:
Pros:

  • Reduces the risk of long-term credential exposure.

  • Enhances security through automatic expiration and rotation.

  • Supports best practices for least privilege access.

  • Simplifies credential management and auditing.

Cons:

  • Requires additional configuration and management of IAM roles.

  • Users may require training on how to assume roles correctly.

Default Value:
By default, IAM users can create and manage access keys unless restricted by policy. AWS recommends using IAM roles for access instead of long-term access keys.

Pre-requisites:

  • AWS IAM permissions:

    • iam:PassRole

    • sts:AssumeRole

    • iam:CreatePolicy (if defining policies for role-based access control)

  • AWS CLI installed and configured.

  • Appropriate IAM roles set up with policies that grant least privilege access.

Remediation:

Test Plan:
Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to IAM > Roles.

  3. Identify roles that are actively being assumed by users and services.

  4. Review IAM user policies to ensure they are not using long-term access keys.

  5. Ensure users authenticate using IAM roles via AWS STS (Security Token Service).

Using AWS CLI:

  1. List IAM users with active access keys:

    aws iam list-users --query "Users[*].UserName"

  2. Check for access keys associated with each IAM user:

    aws iam list-access-keys --user-name <USER_NAME>

  3. Validate that users are assuming roles instead of using access keys by checking CloudTrail logs:

    aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole

Implementation Plan:
Using AWS Console:

  1. Navigate to IAM > Roles and create IAM roles with appropriate permissions.

  2. Assign the IAM roles to users, services, or federated identities.

  3. Update IAM policies to restrict the use of long-term access keys.

  4. Educate users on how to assume roles using AWS CLI, SDKs, or the AWS Console.

  5. Monitor and audit IAM role usage via CloudTrail.

Using AWS CLI:

  1. Create an IAM role:

    aws iam create-role --role-name <ROLE_NAME> --assume-role-policy-document file://trust-policy.json

  2. Attach policies to the role:

    aws iam attach-role-policy --role-name <ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/<POLICY_NAME>

  3. Allow users to assume the role by updating their permissions.

  4. Restrict IAM users from using access keys:

    aws iam update-user --user-name <USER_NAME> --no-permanent-credentials

  5. Verify that users assume roles correctly using AWS STS:

    aws sts assume-role --role-arn arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_NAME> --role-session-name <SESSION_NAME>

Backout Plan:
Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to IAM.

  2. Identify the affected user or role and review permission changes.

  3. Re-enable access keys for affected users if necessary.

  4. Update IAM policies to allow temporary exceptions if needed.

  5. Document any changes made and notify relevant stakeholders.

Using AWS CLI:

  1. List IAM users to identify affected users:

    aws iam list-users --query "Users[*].UserName"

  2. Re-enable access keys for a specific user if required:

    aws iam create-access-key --user-name <USER_NAME>

  3. Restore previous IAM policies by attaching necessary policies:

    aws iam attach-user-policy --user-name <USER_NAME> --policy-arn arn:aws:iam::aws:policy/<POLICY_NAME>

  4. Monitor CloudTrail logs to assess the impact of the rollback and take corrective action as needed.

Reference:

  • AWS IAM: AssumeRole API

  • AWS STS: Temporary Security Credentials

  • AWS Best Practices: IAM Role-Based Access Control

CIS Controls:

Version

Control ID

Control Description

7.1

4.1

Ensure IAM roles are used instead of long-term credentials.

7.1

16.1

Enforce security best practices for authentication and access control.