Access credentials are a critical part of working with cloud providers and their services. And, as administrators add new workloads or services into an AWS deployment, they must be sure to properly organize and enforce access policies.
Admins must control root account credentials to manage all AWS resources, so it is vital to avoid distributing these credential types, as it could leave a business vulnerable to a potentially devastating hack. Never use root credentials for routine interactions with AWS APIs or other services.
Admins should also deploy AWS credential management technologies, including Identity and Access Management (IAM) users, roles and security groups. If another user needs access to an AWS account, create an individual IAM user and assign the required privileges to grant access. Use security groups to assign permissions based on a role or purpose. Combine these IAM technologies with least-privilege policies to limit which users can access specific services, and to ensure they can only access the services they need.
There are additional tactics to improve AWS credential management, including strong password enforcement, regular credential rotation, removal of unnecessary AWS credentials and even multifactor authentication requirements for users. These can help ensure the security of AWS resources.