iCompaas Support

Profile Applicability

• Level 1
  
  

Description

Implement AWS Identity and Access Management (IAM) to manage and restrict access to database services. IAM enables you to define users, groups, roles, and policies that grant fine-grained permissions for resources such as Amazon QLDB.

Rationale

IAM ensures that only authorized users and systems can interact with AWS services. It reduces the risk of unauthorized access, data leaks, and unapproved configurations by enforcing identity verification and permission boundaries.

Impact

Proper IAM implementation protects sensitive data and system configurations. If IAM credentials are compromised, access is still controlled by roles and policies, minimizing potential damage.

Default Value

By default, IAM users and roles do not have access to AWS services until permissions are explicitly granted.

Pre-Requisites

• AWS account with administrative privileges.
  
  

• Knowledge of roles, policies, and user/group creation.
  
  

Remediation

Test Plan

1. Review the IAM users and roles assigned to the database.
   
   

2. Confirm that policies adhere to the principle of least privilege.
   
   

3. Ensure CloudTrail is enabled to monitor IAM activity.
   
   

Implementation Plan

Using AWS Console

1. Sign in to AWS Management Console.
   
   

2. Navigate to IAM under Security, Identity & Compliance.
   
   

3. Create IAM users, groups, or roles as needed.
   
   

4. Define custom IAM policies or use AWS-managed ones.
   
   

5. Attach the policies to appropriate users, groups, or roles.
   
   

6. For applications/services, create IAM roles with trust relationships and assign necessary permissions.
   
   

7. Enable IAM database authentication (if supported).
   
   

8. Configure applications to use IAM roles.
   
   

9. Monitor access via CloudTrail and audit logs.
   
   

Using AWS CLI

1. Create a policy file policy.json with defined permissions.
   

   aws iam create-policy --policy-name QLDBAccessPolicy --policy-document file://policy.json

   
   

2. Create a user:
   

    aws iam create-user --user-name QLDBUser

   
   

3. Attach policy to user:
    
   

   aws iam attach-user-policy --user-name QLDBUser --policy-arn arn:aws:iam::123456789012:policy/QLDBAccessPolicy

4. Create a role:
   

    aws iam create-role --role-name QLDBAppRole --assume-role-policy-document file://trust-policy.json

   
   

5. Attach policy to role:
   

    aws iam attach-role-policy --role-name QLDBAppRole --policy-arn arn:aws:iam::123456789012:policy/QLDBAccessPolicy

   
   

Backout Plan

Using AWS Console

1. Navigate to IAM.
   
   

2. Detach IAM policies from users or roles.
   
   

3. Delete IAM users, groups, or roles if no longer required.
   
   

4. Remove trust relationships or role assumptions for services.
   
   

Using AWS CLI

1. Detach user policy:
   

   aws iam detach-user-policy --user-name QLDBUser --policy-arn arn:aws:iam::123456789012:policy/QLDBAccessPolicy

   
   

2. Detach role policy:
   
   

   aws iam detach-role-policy --role-name QLDBAppRole --policy-arn arn:aws:iam::123456789012:policy/QLDBAccessPolicy

3. Delete IAM user:
   

    aws iam delete-user --user-name QLDBUser

   
   

4. Delete IAM role:
    

   aws iam delete-role --role-name QLDBAppRole

References

• AWS IAM Overview
  
  

• Amazon QLDB Access Control