FSISEC03-BP01 Review IAM policies and permissions FSISEC03-BP02 Mitigate privilege escalation FSISEC03-BP03 Monitor unauthorized activity in your AWS accounts Resources

FSISEC03: How do you monitor the use of elevated credentials, such as administrative accounts, and guard against privilege escalation?

IAM policies are powerful and complex, so it's important to study and understand the permissions that are granted by each policy. Mitigate privilege escalation and monitor unauthorized activity in your AWS accounts.

FSISEC03-BP01 Review IAM policies and permissions

IAM policies are powerful and complex, so it's important to study and understand the permissions that are granted by each policy.

As part of the tight controls FIs implement around identity management and broader identity management policies, it is important to perform periodic reviews of your IAM roles using last accessed information to get a report about the last time that an IAM entity (user or role) attempted to access a service, and delete roles that are not in use. Before you delete a role, review its recent service-level activity by viewing service last accessed data report. Use that information to refine your policies to allow access to only the services that are in use. Repeat this process to generate a report for each type of resource in IAM.

FSISEC03-BP02 Mitigate privilege escalation

Privilege escalation refers to the ability of unauthorized users gaining access to elevated permissions, often by way of improperly written code or misconfigurations. Privilege escalation can result from misusing a number of non-administrator or non-full access permissions. To help avoid scenarios like this, pay attention to permissions that would allow the creation, change and deletion of users, roles, and policies.

As a way to help prevent privilege escalation, you should use service control policies (SCPs) to block users in your accounts, except for IAM administrators or delegated admins, from performing administrative IAM actions. Delegation is a common practice for FIs. If you want to safely delegate permissions management to trusted employees, use IAM permissions boundaries. IAM permissions boundaries allow for safe delegation of IAM permissions management while minimizing escalation of privileges. For example, developers can safely create IAM roles for Lambda functions and Amazon EC2 instances without exceeding certain permissions boundaries defined by your IAM administrators.

FSISEC03-BP03 Monitor unauthorized activity in your AWS accounts

Use the following guidelines to monitor your AWS account activity:

Turn on AWS CloudTrail in each account, and use it in each supported Region.
Store AWS CloudTrail log in a centralized logging account with very restricted access.
Periodically examine CloudTrail log files. Use Amazon GuardDuty, which provides threat detection by continually analyzing AWS CloudTrail events, VPC Flow Logs and DNS logs.
Enable Amazon GuardDuty in each account, and use it in each supported Region to automatically detect CloudTrail management events that can lead to IAM privilege escalation and other IAM finding types.
Enable Amazon S3 bucket logging to monitor requests made to each bucket.
If you believe there has been unauthorized use of your account, pay attention to temporary credentials that have been issued. If temporary credentials have been issued that you don't recognize, disable their permissions.
View the last accessed information for IAM through the Management Console, CLI or AWS API.

Administrators can configure roles to require identities to pass a custom string that identifies the person or application that is performing actions in AWS when the role is assumed. This identity information is stored as the source identity in AWS CloudTrail. Administrators can review this activity in CloudTrail, and they can view the source identity information to determine who or what performed actions with assumed role sessions.

It is also a good practice to periodically review IAM policies as well as setting restrictive user access on a need to know basis. You can prevent IAM user and roles from making specified changes, through Service Control Policies (SCPs) and set Permissions boundaries for IAM entities.

Resources

Related documents:

Related videos:

AWS re:Inforce 2022 - Security best practices with AWS IAM

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Identity and access management

FSISEC04: How do you accommodate separation of duties as part of your identity and access management design?