LinkedInX (ex-Twitter)

ACCOUNT MANAGEMENT

DELETE/DEACTIVATE ACCOUNTS THAT HAVE BEEN INACTIVE FOR X DAYS

Difficult to set up in the case of a digital service company (and still...) it is necessary to ensure that the accounts present are used and usable periodically.

If an account has not been active for several weeks/months, it is necessary to ask yourself a few questions:

  • Does the user still need this account?

  • Does the user still know how to connect?

  • Has the user already logged in? If not, see the previous questions.

Requête AWS :

aws iam list-users --output table

PASSWORD AND ACCESS KEY POLICY

As for all infrastructures, it is important to define a password management policy.

As the risks and probability of exploitation are not the same as for your internal networks, it is possible that it is dedicated to your cloud infrastructure.

Remember:

  • Lengths (max and min) of passwords,

  • Complexity,

  • Reusability,

  • Lifetime (max and min),

DO NOT ENABLE FULL RIGHTS

As always, it is recommended to follow the principle of least privilege, i.e. provide only the strictly necessary rights to your users.

Providing too many rights, in this case maximum rights, is the best way to put your infrastructure at risk.

Requête AWS :

aws iam list-policies --query 'Policies[?PolicyId!=`{managed-policies-arn}`].{PolicyName:PolicyName,PolicyArn:Arn}' --output json | jq -r '.[] | select(.PolicyName != "AdministratorAccess") | [.PolicyArn, .PolicyName] | @tsv' | while IFS=$'\t' read -r POLICY_ARN POLICY_NAME; do aws iam get-policy-version --policy-arn "$POLICY_ARN" --version-id $(aws iam list-policy-versions --policy-arn "$POLICY_ARN" --query 'Versions[?IsDefaultVersion==`false`]|[0].VersionId' --output text) --query 'PolicyVersion.Document' | jq -r '.Statement[] | select(.Effect == "Allow" and .Action == ["*"] and .Resource == ["*"]) | .PolicyVersion.PolicyName' | while read -r POLICY_STATEMENT_NAME; do echo "$POLICY_ARN,$POLICY_NAME,$POLICY_STATEMENT_NAME"; done; done

CREATE A ROLE FOR INCIDENT MANAGEMENT

The cloud inherits the heresies already found in on-premise infrastructures. Here we have the famous "I put the domain administrator account so he can change the password".

This is why it is important to create a role to allow users to manage incidents with AWS Support.

Documentation :

PreviousAUTHENTIFICATIONNextDATABASE

Last updated