How to use AWS and Vanta for identity and access management

This blog is part of a series about how to use Vanta and AWS to simplify your organization’s cloud security. To learn more about how to use Vanta and AWS, watch our Coffee and Compliance on-demand webinar.

‍

Amazon Web Services, or AWS, is one of the most popular cloud providers for organizations today — providing one of the most flexible and secure cloud environments available. When it comes to security, AWS has what’s called a Shared Responsibility Model meaning that AWS handles the security of the cloud itself while its customers are responsible for securing what they deploy to their cloud environment. 

‍

In this model, AWS secures the physical infrastructure, the facilities, computing, and the building blocks while customers must secure the workloads and applications that they deploy to the cloud. This is where the AWS integration with Vanta makes a huge difference in how you secure and manage your cloud deployments. 

‍

In this blog series, we’ll show you how to use Vanta to help you secure the portions of your cloud environment that AWS customers are responsible for, starting first with identity and access management. 

‍

How Vanta and AWS work together

Vanta integrates with various AWS products to help you automate security. Some of these areas include:

• Identity and access management
• Vulnerability assessment
• Continuous monitoring of the environment
• Remediation alerts
• Compliance reports for common standards

‍

When it comes to identity and access management, Vanta integrates with AWS IAM to help you manage access rights to users within your systems or network. AWS IAM is a web service that helps you securely control access to AWS resources and enables you to centrally manage permissions to those resources. 

‍

In AWS’ shared responsibility model, identity and access management is the sole responsibility of the customer, which is why it’s important to have the proper controls in place to protect your cloud environment from unauthorized access. 

‍

{{cta_withimage10="/cta-modules"}}

‍

Foundations for identity and access management in AWS

To ensure you’re providing access to your cloud environment to the right people while keeping people who shouldn't have access out, AWS recommends that you follow these best practices as a baseline for protecting your deployments:

‍

• Establish a strong password policy: AWS requires its customers to create strong password policies to prevent access through brute force or social engineering. For the latest recommendations, refer to the CIS Password Policy Guide. 
• Use multi-factor authentication: AWS also requires multi-factor authentication for the root account and for every IAM user. AWS also recommends that you don't use the root user for day-to-day activities. If you need elevated privileges, create an administrative user debt and perform all account actions using other types of IAM identities, specifically adhering to your job role. 
• Monitor observability: Log all events using CloudTrail and set up alerts through CloudWatch and SNS to notify you when the root user is accessed and what it's doing. This ensures that you’ll get notified if there's a breach.

‍

By applying Vanta to the identity and access management needs of your AWS instance, you’ll be able to test your environment against these best practices. The platform can then give you alerts if your environment does not meet these requirements and gives you visibility into your overall security posture.

‍

Advancing your security with AWS and Vanta

Most security teams will have likely already implemented the foundational best practices mentioned above in their AWS cloud environment. Here are some of the more advanced capabilities of AWS IAM and how you can use Vanta to stay secure:

‍

• Set role permissions: A role represents a set of permissions that can be assumed by a person or service for a configurable period of time. Assign an IAM role directly to EC2 instances, Fargate tasks, Lambda functions, or other AWS compute services for applications that use AWS SDK or run in compute environments to automatically use the IAM role credentials for authentication. 
• Limit permissions by task: When you set permissions with IAM policies, grant only the permissions required to perform a task. You can do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privileged permissions.
• Restrict credential usage: You can limit users scope with resource-based policy permissions. There are two primary ways to do:

• Create identity-based policies where you attach the policy to the principle and define what they can access within the environment. 
• Create resource-based policies, which are attached to the resources such as an S3 bucket or a VPC endpoint. These policies specify which principles can access that resource, what supportive actions they have, and any other conditions that you define. 

• Define conflict requests: Establish a policy that outlines what policies will overwrite other policies. Ensure that all requests are implicitly denied, with exception from the AWS root account user, and that explicit deny always overrides explicit allow. You can then create allow actions on top of that.

‍

These are powerful AWS configurations that can help you protect your cloud environment and maintain a least-privileged environment. However, managing this type of environment can get complex. 

Vanta can surface these configurations and settings to help you manage them more effectively. It can also help you surface your inventory, test your configurations, and send you alerts to help you maintain a strong security posture. Vanta can also help you understand how identities relate to other systems outside of AWS — for example, identifying which systems outside of AWS an off-boarded employee may still have access to — making it easier for you to manage access across your entire ecosystem. 

To learn more about how to use Vanta and AWS, watch our Coffee and Compliance webinar recording.

‍

{{cta_withimage6="/cta-modules"}}