We recommend the following best practices to help secure your resource for IAM.
- Lock away your root user access keys—Do not use the root user for your tasks. Instead, use your root user credentials only to create your IAM admin user. Then securely lock away the root user credentials and use them to perform only a few account-management and service-management tasks. Use roles to delegate permissions for the work.
- Use roles to delegate permissions—Assume an IAM role by using Secure Token Service operations to receive a temporary credentials role session. This is more secure than using your access key credentials. A session has a limited duration, which reduces your risk if your credentials are compromised.
- Grant least privilege—When you create IAM policies, follow the standard security advice of granting least privilege, or granting only the permissions required to perform a task. Determine what users (and roles) need to do and then craft policies that allow them to perform only those tasks. Starting with a minimum set of permissions and grant additional permissions as necessary.
- Review IAM permissions regularly—Regularly review and monitor each of your IAM policies. Ensure that your policies grant the least privilege that is needed to perform only the necessary actions.
- Use roles for applications—Use IAM roles for applications in a secure way. A role is an entity that has its own set of permissions but that is not a user or user group.
- Do not share access keys—Do not embed access keys within unencrypted code or share these security credentials between users.
- Rotate credentials regularly—Change your access keys regularly and ensure that all IAM users in your account do so as well.
- Remove unnecessary credentials—Regularly review IAM users and remove IAM user credentials that are not needed.