DOC RABE Media - Fotolia

Q
Get started Bring yourself up to speed with our introductory content.

Remove AWS security credentials for outgoing employees

Personnel changes are inevitable at an enterprise, and security teams need to revoke AWS credentials accordingly to ensure the integrity of their cloud data.

When employees leave a company, they often do so with knowledge of the organization's sensitive data. While you can't erase that information from a person's mind, you should immediately delete the employee's AWS security credentials to all systems to safeguard your organization's data.

First, remove the employee's AWS Identity and Access Management (IAM) user credentials so that all resources are inaccessible. When you delete an IAM user in the AWS Management Console, it also deletes that user's AWS security credentials, including group membership, password and access keys.

In general, it's not a good practice to directly attach policies to individual IAM users. Instead, use security groups to assign the right level of access for users. Create groups for various tasks and job roles, such as administrators and developers, and assign required policies to a group. When you apply a policy at the group level, it cascades to each user in that group. When an employee moves to a different department, move the user to a different group to provide a new set of privileges.

If you enabled federation, also disable single sign-on (SSO) access for an employee who leaves, and delete his or her user ID from your directory. While AWS SSO removes the complexity of user account management and increases worker productivity, you must disable access for an employee who leaves, or face potential consequences. For example, a departing employee could share his or her password with an unauthorized person. With illegal access, this person could then create risk in the environment or increase your cloud bill multifold, depending on the privileges and AWS security credentials the person gains.

As part of the shared responsibility model, it's up to admins to correctly manage AWS access keys to avoid giving users programmatic access to Amazon cloud services. Rather than generate access keys for the root user, generate them only for individual IAM users. Additionally, never grant a user access to another person's access keys. If this happens, the user will have the same level of access to an AWS account as the owner.

Also, if an employee with access to multiple keys were to leave, rotate all the keys. In general, it's best practice to regularly rotate keys, use distinct keys for different applications and delete any unused keys.

This was last published in May 2018

Dig Deeper on AWS compliance, governance, privacy and regulations

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What safeguards do you have in place for AWS credentials?
Cancel

-ADS BY GOOGLE

SearchCloudApplications

TheServerSide.com

SearchSoftwareQuality

SearchCloudComputing

Close