As security professionals, it is our job to be sure that our decisions comply with best practices. Best practices, though, tend to be time consuming, which means we either don’t get around to following best practices, or we spend too much time on tedious, manual tasks. This blog post includes two examples where AWS services can help achieve compliance with security best practices, minus the inordinate time investment.
One AWS Identity and Access Management (IAM) best practice is to delete or regularly rotate access keys. However, knowing which AWS access keys are in use has usually involved poring over AWS CloudTrail logs. In my May 30 webinar, I highlighted the recently launched access key last used feature that makes access key rotation easier. By knowing the date and IP address of the last usage, you can much more easily identify which keys are in use and where. You can also identify those keys that haven’t been used in a long time; this helps to maintain good security posture by retiring and deleting old, unused access keys.
If you have a Windows environment on AWS and need to join each Amazon EC2 instance to the Windows domain, the best practice is to either do it manually, or embed credentials in the Amazon Machine Image (AMI). In this Auto Scaling Lifecycle Policies for Security Practitioners video,I show you how you can use Auto Scaling lifecycle policies to, among other things, join a server to a Windows domain without sharing credentials across instances.
These are just two examples of how using AWS services helps you comply with best practices, reduce risk, and spend less time on manual tasks. If you have questions or comments, either post them below or go to the IAM forum.