AWS Identity and Access Management
When you create an AWS account, a root user is automatically
created for your AWS account. This user has complete access to all your AWS services
and resources in your AWS account. As security best practices, the root user should be used only for performing
tasks that only the root user can perform. Instead of using this account for everyday tasks, you
should only use it to initially create additional roles and users, and for
administrative activities that require it. AWS recommends that you apply the principle of
least privilege from the start: define different users and roles for different tasks,
and specify the minimum set of permissions required to complete each task. This approach is a
mechanism for tuning a key concept introduced in GDPR: data protection by design. AWS Identity and Access Management
Users and roles define IAM identities with specific
permissions. An authorized user can assume an IAM role to perform specific tasks. Temporary credentials are created when the
role is assumed. For example, you can use IAM roles to securely provide applications that run
in Amazon Elastic Compute Cloud
To help customers monitor resources policies and identify resources with public or
cross-account access they may not intend, IAM Access
Analyzer
Access Analyzer for S3 alerts you when buckets are configured to allow access to anyone on the internet or other AWS accounts, including AWS accounts outside of your organization. When reviewing an at-risk bucket in Access Analyzer for Amazon S3, you can block all public access to the bucket with a single click. AWS recommends that you block all access to your buckets unless you require public access to support a specific use case. Before you block all public access, ensure that your applications will continue to work correctly without public access. For more information, see Using Amazon S3 to Block Public Access.
IAM also provides last accessed information to help you identify unused permissions so
that you can remove them from the associated principals. Using last accessed information, it
is possible to refine your policies and allow access to only those services and actions that
are needed. This helps to better adhere to and apply the best practice of least privilege. You can view last accessed information for
entities or policies that exist in IAM, or across an entire AWS Organizations