Maintaining compliance by following IAM best practices
We conclude the IAM section with a few parting words of wisdom for maintaining compliance over time:
-
Do not attach any policies without requiring MFA.
-
Never use the
AdministratorAccess
AWS managed policy with any users, groups, or roles. -
Refrain from granting inline permissions or attaching managed policies directly to IAM users. Permissions should be granted exclusively via IAM groups and roles.
-
Never use static IAM user access keys to allow an application to access AWS, whether that application is hosted on an EC2 instance or anywhere else!
-
Avoid logging in as the root user. Unfortunately, there is nothing built-in to AWS to prevent use of the root user. It cannot be locked or removed from the account. In fact, there are several tasks that require the use of root. Fortunately, most of these activities are rare, so usage of the root account can be kept to a minimum.