aws accounts

Auditing IAM Users in AWS

742 VIEWS

Checking your AWS account to see how many IAM (Identity and Access Management) users you have is a great and very simple way to get started with auditing.

You will be able to check if these users are following security, such as having Multi-Factor Authorization set up for their account, the last time they changed their password, and when they last rotated their access key.

Let us suppose that everyone in the company had access to the AWS account. Even if their job description did not require any type of access, this would make the account vulnerable because anyone can go into the account, and it creates for a less secure environment.

Auditing IAM users and making sure that they need the access to perform their task is a start to not only practicing being more secure but also enforcing IAM best practices. After all, one of the basic principles of security in AWS is the Principle of Least Privilege, which means giving the minimum amount of access required to a user to perform their task. This is just one of the many IAM best practices that Amazon recommends. To read more on what IAM best practices to use and how to enforce them, you can click here: IAM Best Practices.

For the first step, I recommend getting a summary report of your account. This is a great way to get a brief overview of the account.

To do this, you can run this line of code using the AWS CLI:

`aws iam get-account-summary`


"SummaryMap": {
      "UsersQuota": 5000,
      "GroupsQuota": 100,
      "InstanceProfiles": 6,
      "SigningCertificatesPerUserQuota": 2,
      "AccountAccessKeysPresent": 0,
      "RolesQuota": 250,
      "RolePolicySizeQuota": 10240,
      "AccountSigningCertificatesPresent": 0,
      "Users": 27,
      "ServerCertificatesQuota": 20,
      "ServerCertificates": 0,
      "AssumeRolePolicySizeQuota": 2048,
      "Groups": 7,
      "MFADevicesInUse": 1,
      "Roles": 3,
      "AccountMFAEnabled": 1,
      "MFADevices": 3,
      "GroupsPerUserQuota": 10,
      "GroupPolicySizeQuota": 5120,
      "InstanceProfilesQuota": 100,
      "AccessKeysPerUserQuota": 2,
      "Providers": 0,
      "UserPolicySizeQuota": 2048

The above is just an overview of what you’ll see. Next, you should download a credentials report that gives you more detailed information, such as the username of each IAM user associated with the account.

To generate the report:

`aws iam generate-credential-report`

Get the report and save the output into a txt or csv file:

` aws iam get-credential-report --output text --query Content | base64 -D >> report.txt`

This credential report contains the following:

user
arn
user_creation_time
password_enabled
password_last_used
password_last_changed
password_next_rotation
mfa_active
access_key_1_active
access_key_1_last_rotated
access_key_1_last_used_date
access_key_1_last_used_region
access_key_1_last_used_service
access_key_2_active
access_key_2_last_rotated
access_key_2_last_used_date
access_key_2_last_used_region
access_key_2_last_used_service
cert_1_active
cert_1_last_rotated
cert_2_active
cert_2_last_rotated

You can now assess all your IAM users and whether these users are still active employees or need to be removed because they are no longer with your company. You should practice the auditing steps above at regular intervals as a best practice for security. You should also audit whenever there is a change in your organization, such as an employee leaving, or if you suspect an unauthorized person is trying to access your account. You can read more on AWS security auditing guidelines through this link: Security Audit Guidelines.

Lastly, certain tracking can be automated through the use of an AWS Lambda function. You can run the function either monthly or biweekly to help you keep up-to-date on existing users and whether they have rotated their access keys or set up Multi-Factor Authorization.


Wendy Segura is a former Security Engineer Intern at Agari. She previously attended Holberton School in San Francisco. She enjoys learning about new security technologies, reading and writing.


Discussion

Click on a tab to select how you'd like to leave your comment

Leave a Comment

Your email address will not be published. Required fields are marked *

Menu