Breaking IT Down: AWS IAM Best Practices

Cybersecurity has been the talk of the industry in recent months, for good reason. Recent ransomware attacks have shed light on our collective vulnerability, and it’s clear that American companies need to improve our cybersecurity posture. But cybersecurity is a huge umbrella term, filled with discussions on intricate systems, policies, and players that can be hard to understand. In this month’s Breaking IT Down, we’re talking about the best practices for using AWS IAM and managing user access.


What is AWS IAM?

IAM (Identity Access Management) allows you to manage access to AWS services.


Root Account

The root account is the email account that was used to open the AWS account. It is not recommended to use the root account for the everyday management of your AWS account. It’s best practice to create IAM users for each individual user who needs access to the AWS Console. You should only use the root account for the specific tasks that can only be performed with the root account.


Here’s a list of tasks that the root account can only perform:

  • Change AWS account settings
  • Restore IAM user permissions
  • Activate IAM access to billing and cost management
  • View certain tax invoices
  • Close the AWS account
  • Change AWS support plans
  • Configure MFA delete on S3 buckets
  • Edit or delete S3 bucket policy that includes an invalid VPC ID or VPC Endpoint ID
  • Sign up for GovCloud


MFA (Multi-Factor Authentication)

MFA (Multi-Factor Authentication) is an additional authentication layer to verify the user identity. In AWS this is accomplished using a third-party application or device. This third-party application or device generates a six-digit code every 30 seconds. The root account should always have MFA enabled on it to protect the account. It is further recommended to enable MFA on IAM user accounts as well.


IAM Password Policy

It is recommended to implement an IAM Password Policy. This policy applies to IAM users with AWS Management Console access. The password policy should have the following settings enabled:

  • Enforce minimum password length (recommended at least 14 characters)
  • Require at least one uppercase letter from Latin alphabet (A-Z)
  • Require at least one lowercase letter from Latin alphabet (a-z)
  • Require at least one number
  • Require at least one non-alphanumeric character (! @ # $ % ^ & * ( ) _ + – = [ ] { } | ‘)
  • Enable password expiration (recommended at least 90 days)
  • Allow users to change their own password
  • Prevent password reuse (recommended remember at least 5 passwords)


Programmable Access

Programmable Access allows AWS services integration via AWS API, CLI, SDK, and other development tools. Programable access authentication is provided via access keys and secret access keys. It is not recommended to deploy programable access to IAM users who do not need them. Programable access should never be enabled on the root account. It is also not recommended to use programable access in your code or stored on EC2 Instances. You should recycle your AWS access keys at least every 90 days.


Least Privileged Access

It is recommended to follow the least privileged access for your IAM users and groups. This means to only give the minimum access to the AWS services that are needed for that user or group to perform their duties. For example, if a user was in charge of managing EC2 Instances, that user should only have access to AWS EC2. In the same example, that user should only be allowed to start and stop EC2 instances. Then the user should have the read-only, start, and stop specific access.


If you’d like to learn more about how our team can help you manage your AWS IAM and security, contact us today!


Contact us at to get started!