Profile Applicability
Level 1
Description
This control ensures that AWS access control and authentication mechanisms are enabled for managing and protecting AWS database services. Access control involves using AWS IAM (Identity and Access Management) roles, policies, and authentication methods such as Multi-Factor Authentication (MFA) to control who can access resources.
Rationale
Enabling proper authentication and access control limits the exposure of sensitive data by ensuring only authorized users or services have access. It minimizes the risk of unauthorized access and helps comply with security and regulatory standards.
Impact
Pros: Enhances security by enforcing strict access policies, ensures compliance with security best practices, reduces the risk of data breaches.
Cons: Can add complexity in configuring IAM roles, policies, and MFA. Misconfigurations may result in denied access or unwanted exposure.
Default Value
By default, IAM users and roles have no access to AWS services unless explicitly granted permissions through policies. MFA is not enabled by default.
Pre-Requisites
IAM permissions to modify roles and policies.
Configured MFA (if required for higher security).
Basic understanding of IAM roles, policies, and trust relationships.
Remediation
Test Plan
Review IAM roles and policies to ensure only authorized users have access.
Check that MFA is enabled for sensitive IAM users.
Verify that all users have the minimum required privileges based on the principle of least privilege.
Implementation Plan
Using AWS Console
Sign in to the AWS Management Console.
Navigate to IAM:
In the Console, go to Security, Identity, & Compliance and select IAM.
Enable Multi-Factor Authentication (MFA) for IAM Users:
In the IAM Dashboard, click on Users.
Select the user for whom you want to enable MFA.
In the User details, click on Security Credentials.
Under Multi-Factor Authentication (MFA), click on Assign MFA device and follow the steps to enable.
Create IAM Roles and Policies:
Go to Roles in IAM and click Create role.
Select the type of trusted entity (e.g., AWS service, other AWS account).
Attach policies to this role based on the access requirements.
Review and create the role.
Attach IAM Policies:
Under Users or Roles, select a user/role.
In Permissions, click Add permissions and attach the necessary policy (e.g., AmazonS3FullAccess, AdministratorAccess).
Using AWS CLI
Create an IAM Role:
aws iam create-role --role-name MyRole --assume-role-policy-document file://trust-policy.json
Attach a policy to the role:
aws iam attach-role-policy --role-name MyRole --policy-arn arn:aws:iam::aws:policy/AdministratorAccess
Enable MFA for a user:
aws iam enable-mfa-device --user-name MyUser --serial-number arn:aws:iam::123456789012:mfa/MyMFA --authentication-code1 123456 --authentication-code2 654321
Create an IAM Policy:
aws iam create-policy --policy-name MyPolicy --policy-document file://policy.json
Attach a policy to a user:
aws iam attach-user-policy --user-name MyUser --policy-arn arn:aws:iam::123456789012:policy/MyPolicy
Backout Plan
Using AWS Console
Remove MFA:
Navigate to IAM > Users, select the user.
Under Security credentials, click Deactivate for MFA.
Delete IAM Role:
In IAM, navigate to Roles, select the role, and click Delete Role.
Detach Policies from Users/Roles:
In IAM, navigate to Users or Roles, select the user/role.
Under Permissions, click Detach policies.
Using AWS CLI
Remove MFA for a user:
aws iam deactivate-mfa-device --user-name MyUser --serial-number arn:aws:iam::123456789012:mfa/MyMFA
Delete an IAM Role:
aws iam delete-role --role-name MyRole
Detach a policy from a user:
aws iam detach-user-policy --user-name MyUser --policy-arn arn:aws:iam::123456789012:policy/MyPolicy