AWS Identity and Access Management - Navigating GDPR Compliance on AWS

AWS Identity and Access Management

When you create an AWS account, a root user is automatically created for your AWS account. This user has complete access to all your AWS services and resources in your AWS account. As security best practices, the root user should be used only for performing tasks that only the root user can perform. Instead of using this account for everyday tasks, you should only use it to initially create additional roles and users, and for administrative activities that require it. AWS recommends that you apply the principle of least privilege from the start: define different users and roles for different tasks, and specify the minimum set of permissions required to complete each task. This approach is a mechanism for tuning a key concept introduced in GDPR: data protection by design. AWS Identity and Access Management(IAM) is a web services that you can use to securely control access to your AWS resources. Customers can leverage AWS Organizations Service Control Policies (SCPs) to limit access to specific actions for the root user in a member account. You can find a sample SCP in the public documentation. Customers can monitor root user credential usage by enabling Amazon GuardDuty (related finding is Policy:IAMUser/RootCredentialUsage) or combining AWS services for building a solution.

Users and roles define IAM identities with specific permissions. An authorized user can assume an IAM role to perform specific tasks. Temporary credentials are created when the role is assumed. For example, you can use IAM roles to securely provide applications that run in Amazon Elastic Compute Cloud (Amazon EC2) with temporary credentials required to access other AWS resources, such as Amazon S3 buckets, and Amazon Relational Database Service (Amazon RDS) or Amazon DynamoDB databases. Similarly, execution roles provide AWS Lambda functions with the required permissions to access other AWS Services and resources, such as Amazon CloudWatch Logs for log streaming or reading a message from an Amazon Simple Queue Service (Amazon SQS) queue. When you create a role, you add policies to it to define authorizations.

To help customers monitor resources policies and identify resources with public or cross-account access they may not intend, IAM Access Analyzer can be enabled to generate comprehensive findings that identify resources that can be accessed from outside an AWS account. IAM Access Analyzer evaluates resource policies using mathematical logic and inference to determine the possible access paths allowed by the policies. IAM Access Analyzer continuously monitors for new or updated policies, and it analyzes permissions granted using policies for IAM roles--but also for services resources like Amazon S3 buckets, AWS Key Management Service (AWS KMS) keys, Amazon SQS queues, and Lambda functions.

Access Analyzer for S3 alerts you when buckets are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. When reviewing an at-risk bucket in Access Analyzer for Amazon S3, you can block all public access to the bucket with a single click. AWS recommends that you block all access to your buckets unless you require public access to support a specific use case. Before you block all public access, ensure that your applications will continue to work correctly without public access. For more information, see Using Amazon S3 to Block Public Access.

IAM also provides last accessed information to help you identify unused permissions so that you can remove them from the associated principals. Using last accessed information, it is possible to refine your policies and allow access to only those services and actions that are needed. This helps to better adhere to and apply the best practice of least privilege. You can view last accessed information for entities or policies that exist in IAM, or across an entire AWS Organizations environment.