The first step in IAM audit is to ensure that the root (admin) user is having the proper and default security guidelines covered. AWS is quite handy in this, as the root user is given necessary steps/checklist to ensure that the basic security guidelines are met.
The administrator should ensure that all the 5 options are checked (green), to ensure that the root account is secure enough.
Deletion of the root access keys is an important phase as the admin delete the root access keys once created, so it is not accessible to others.
In the above case, MFA is not enabled. MFA is a mandatory authentication addition for the admin account, to ensure that there is an extra layer of security.
The next phase to be ensured is that if the organization has a password policy.
The auditor should ensure that a strict and effective password policy is in place for the users.
The basic IAM Audit is done as shown in the below screen-cast.
An important step we haven't covered in this basic auditing steps is the policy simulation. As an auditor, we need to randomly select few users in the organization, and see if they have any permissions that overrides the basic policy. In this case, we are checking if the normal user have a privilege to delete users or groups. Please find the actual steps in the below screen-cast.
In addition to these, an auditor can download a credential report to have a rough check on all the user accounts and parameters like - 'access key last used', ' access key last rotated' and so on.
The credential report can be obtained by following the below steps:
1. Go to the 'Credential Report' in IAM Console.
2. Download the report.
3. Analyze the report.
Comments