BLOG POST

How To Improve AWS IAM Security

 

December 3, 2015 | DevOps | dustin byrne

Although many of us love AWS and the Identity and Access Management system for EC2, the workflows around it need some improvement. If you’ve ever used it, you’ll probably understand what we’re talking about…It’s hard to configure, hard to understand, and hard to troubleshoot. 

Luckily, Conjur lets you manage end user access to the AWS console while avoiding the typical governance and compliance nightmare.  

IAM_Overview.png

There are a few reason AWS IAM needs improvement:

  1. First, users are provisioned manually which means, without attention, user access may persist after the termination of employment.

  2. Validating user control is also very difficult. It can be a challenge ensuring that the principle of least privilege is upheld among each user and as you add and maintain more users, it turns into a bigger headache.

  3. High flexibility leaves room for error.

  4. Vendor lock-in: You can’t rely on IAM roles to manage permissions in your on-premise data centers or other cloud providers.

  5. Additionally, IAM does not manage anything at the web traffic or Unix permissions level. 

Here’s How Conjur Solves these Problems: 

  1. Users and groups are synchronized from your existing enterprise LDAP or Active Directory Server.

    • This allows you to use your existing user/group structure instead of creating and maintaining another one.

  2. Roles are created for machines, allowing them to join a specific layer of hosts.

    • There is a role per type of application, webservice, database, etc. 

  3. Users can SSH to a trusted machine which has the permissions to fetch andIAM user’s credentials.

    • This SSH access is governed by Conjur.

  4. Privilege on the trusted machine is restricted by the group, mapping your existing enterprise structure to permissions via `sudoers.d`

  5. Next, scripts will be run that fetch the required credentials without revealing them to the executing user.

  6. Finally, Conjur will audit the execution of these scripts.

 

We take the headache out of managing user access to the AWS console. Have any questions? Let us know! We would love to chat about how Conjur can help better secure your AWS or hybrid cloud environment. 

 

conjur-demo
//

 

Share This