ACCT.03 Configure console access for each user - AWS Prescriptive Guidance

ACCT.03 Configure console access for each user

As a best practice, AWS recommends using temporary credentials to grant access to AWS accounts and resources. Temporary credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they're no longer needed. For more information, see Temporary security credentials (IAM documentation).

For human users, AWS recommends using federated identities from a centralized identity provider (IdP), such as AWS IAM Identity Center, Okta, Active Directory, or Ping Identity. Federating users allows you to define identities in a single, central location, and users can securely authenticate to multiple applications and websites, including AWS, by using just one set of credentials. For more information, see Identity federation in AWS and IAM Identity Center (AWS website).

Note

Identity federation can complicate the transition from a single-account architecture to a multi-account architecture. It is common for startups to delay implementing identity federation until they have established a multi-account architecture managed in AWS Organizations.

To set up identity federation
  1. If you are using IAM Identity Center, see Getting started (IAM Identity Center documentation).

    If you are using an external or third-party IdP, see Creating IAM identity providers (IAM documentation).

  2. Make sure that your IdP enforces multi-factor authentication (MFA).

  3. Apply permissions according to ACCT.04 Assign permissions.

For startups that are not prepared to configure identity federation, you can create users directly in IAM. This is not a recommended security best practice because these are long-term credentials that never expire. However, this is a common practice for startups in early operation to prevent difficulty with transitioning to a multi-account architecture when they’re operationally ready.

As a baseline, you can create an IAM user for each person who needs to access the AWS Management Console. If you configure IAM users, do not share credentials across users, and regularly rotate the long-term credentials.

Warning

IAM users have long-term credentials, which presents a security risk. To help mitigate this risk, we recommend that you provide these users with only the permissions they require to perform the task and that you remove these users when they are no longer needed.

To create an IAM user
  1. Create IAM users (IAM documentation).

  2. Apply permissions according to ACCT.04 Assign permissions.