When employees leave a company, they often do so with knowledge of the organization's sensitive data. While you...
can't erase that information from a person's mind, you should immediately delete the employee's AWS security credentials to all systems to safeguard your organization's data.
First, remove the employee's AWS Identity and Access Management (IAM) user credentials so that all resources are inaccessible. When you delete an IAM user in the AWS Management Console, it also deletes that user's AWS security credentials, including group membership, password and access keys.
In general, it's not a good practice to directly attach policies to individual IAM users. Instead, use security groups to assign the right level of access for users. Create groups for various tasks and job roles, such as administrators and developers, and assign required policies to a group. When you apply a policy at the group level, it cascades to each user in that group. When an employee moves to a different department, move the user to a different group to provide a new set of privileges.
If you enabled federation, also disable single sign-on (SSO) access for an employee who leaves, and delete his or her user ID from your directory. While AWS SSO removes the complexity of user account management and increases worker productivity, you must disable access for an employee who leaves, or face potential consequences. For example, a departing employee could share his or her password with an unauthorized person. With illegal access, this person could then create risk in the environment or increase your cloud bill multifold, depending on the privileges and AWS security credentials the person gains.
As part of the shared responsibility model, it's up to admins to correctly manage AWS access keys to avoid giving users programmatic access to Amazon cloud services. Rather than generate access keys for the root user, generate them only for individual IAM users. Additionally, never grant a user access to another person's access keys. If this happens, the user will have the same level of access to an AWS account as the owner.
Also, if an employee with access to multiple keys were to leave, rotate all the keys. In general, it's best practice to regularly rotate keys, use distinct keys for different applications and delete any unused keys.
Dig Deeper on AWS compliance, governance, privacy and regulations
Related Q&A from Ofir Nachmani
While Amazon CloudFront can make traffic spikes more manageable, IT teams still need to carefully prepare their environment for these increases in ... Continue Reading
Some AWS users should consider a third-party tool to find better visibility into their network infrastructure and traffic patterns instead of relying... Continue Reading
Not sure when to normalize data in Amazon DynamoDB? Follow these three examples to learn more about the normalization process and how it can play a ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.