3.4.1.8. Managing Permissions to Control Access to Human & Machine Identities (MFA, STS, IAM Profiles)

First Principle: Robust access management ensures all AWS resource interactions are authenticated, authorized, and secured, minimizing unauthorized actions for human and machine identities.

Adhering to the principle of least privilege, this is crucial.

• Multi-Factor Authentication (MFA): Adds critical extra security for human users, requiring a second verification method beyond a password, significantly reducing credential compromise risk.
• AWS Security Token Service (STS): Provides temporary, limited-privilege credentials for users/roles, enabling secure programmatic/cross-account access without sharing permanent credentials.
• IAM Instance Profiles: Securely deliver temporary credentials to EC2 instances, allowing applications to access other AWS services without embedding static access keys, avoiding hardcoded credentials, simplifying rotation, and enhancing security.

Key Tools for Managing Access to Human & Machine Identities:

• MFA: Extra security layer for human users.
• AWS STS: Provides temporary, limited-privilege credentials.
• IAM Instance Profiles: Securely provide credentials to EC2 instances.

Scenario: A DevOps team needs to secure access to their AWS root account and administrative IAM users. Additionally, applications running on EC2 instances need to securely access S3 buckets without embedding static credentials in code.

Reflection Question: How would you use Multi-Factor Authentication (MFA) for human users and IAM Instance Profiles (which leverage AWS STS) for machine identities to establish robust access management, ensuring all AWS resource interactions are authenticated and authorized with temporary, least-privilege credentials?

💡 Tip: Consider the security trade-offs between long-term IAM user credentials and temporary credentials (STS/IAM roles). Temporary credentials generally offer a stronger security posture due to their limited lifespan.