Using builtin groups is a practice often used by organizations using Microsoft’s Active Directory. One of these groups, the Account Operators, is commonly used for basic user administration. As an organization grows the dangers of using this group grows. If the use of the account operators continues without review and governance, security gaps are added to the organization.
Upon completion of Active Directory Gap Analyses, I’ve notice businesses often use Account Operators as the easy way to delegate the management of users and groups.
In Amazon’s IAM Best Practices guide, the recommendation for MFA states:
We recommend that you require multi-factor authentication (MFA) for all users in your account. MFA is often used as a stop gap to stop malicious attacks. Knowing that the identity is the first security boundary to your AWS environment, please ENABLE MFA for all users in your account. By enabling MFA you can assure that the administrators logging into the AWS console, are authorized to do so.
working through flaws.cloud with powershell
I needed to list all the accounts created as IAM users inside all the AWS Organizations for a business. I wanted to show on list all the administrators of the organizations, those people who can make sweeping changes to an environment. My end goal was to make sure that everyone who has direct IAM console administrator access was using MFA.
I wanted this audit report: A list of users in each organization with their MFA status.
Viewing access key usage in IAM was introduced in Q2 2015. AWS Organizations was introduced in Q4 2016. The blog post describing how to search for IAM Access Key usage via CloudTrail was written Q1 2019. Listing all access key usage in IAM for all AWS Organizations, that’s introduced today Q3 2019.
This list comes in handy when you have to gather all the API keys for auditing and governance requirements.
There are multiple recommendations floating in security discussion boards on password policies. Some people recommend rotating passwords, which was a NIST recommendation in the years past. NIST has recently appended their password recommendations to remove recommending the expiration of passwords and password composition rules. Microsoft maps their policy to the recommendations of NIST. Microsoft no longer recommends forcing the change or rotation of users' passwords.
Microsoft recommends adopting the following modern password policy based on NIST guidance: From Microsoft’s 5 Steps to Secure Your Identity Infrastructure: Require passwords have at least 8 characters.