Skip to main content

IAM Checklist

(Compiled from AWS, Azure, Google and and other community sources)

Authentication

  • Use single sign-on (SSO) solutions to simplify user authentication.
  • Do not allow weak passwords or passwords that are too easily guessed for user authentication.
  • Do not store user passwords in clear text on the cloud server.
  • Enforce strong password policies, such as password complexity and expiration.
  • Use encryption for transmitted authentication data.
  • Use two-factor authentication for cloud services.
  • Implement multi-factor authentication (MFA) solutions to improve security.
  • Supplement cloud-based authentication solutions with on-premise authentication solutions.
  • Consider different levels of security and authentication requirements for each service when using a single authentication mechanism for all cloud services.
  • Use third-party authentication services to verify user identities.
  • Use biometric authentication solutions as an additional layer of protection.
  • Do not rely on common username/password combinations for authentication.

Groups and Roles

  • Establish a clear authorization policy for access to cloud services.
  • Define user roles and permissions for each cloud service.
  • Limit access to cloud services to only those who need it.
  • Use hierarchical role-based access control (RBAC) to simplify access management.
  • Establish an identity federation strategy to manage user access across multiple cloud services.
  • Implement an access control policy for each cloud service.
  • Use role-based authentication to control access to cloud services.
  • Use identity protection services to detect and prevent identity theft.
  • Use federated identity and access management solutions to manage user identities across multiple cloud services.
  • Properly configure user roles and permissions for the cloud services.
  • Use a central identity provider to manage user accounts across multiple cloud services.

Monitoring

  • Monitor access logs and audit trails for suspicious activity.
  • Use automated tools to detect suspicious activity in the cloud.
  • Use secure authentication protocols such as OAuth or OpenID Connect.
  • Implement account lockout policies to prevent brute-force attacks.
  • Regularly update authentication protocols and software to protect against security vulnerabilities.
  • Regularly train users on proper authentication procedures.
  • Use physical tokens or smart cards for two-factor authentication.
  • Use regular reviews and audits to ensure that users have the appropriate access.
  • Establish a process for managing access requests and revoking access when no longer needed.
  • Utilize automated tools to detect and block suspicious user activities.
  • Regularly review access logs and audit trails for suspicious activity.
  • Implement password rotation policies to ensure users are regularly updating their credentials.
  • Leverage identity management solutions to manage user accounts and access rights.
  • Use identity and access management (IAM) solutions to enable secure user authentication.
  • Leverage SSO solutions to simplify and secure authentication for cloud services.
  • Utilize IAM solutions to enable secure access to cloud services for external users.
  • Use IAM solutions to simplify user onboarding and offboarding processes.

Antipatterns

  • Permits automated attacks such as credential stuffing, where the attacker has a list of valid usernames and passwords.
  • Permits brute force or other automated attacks.
  • Permits default, weak, or well-known passwords, such as "Password1" or "admin/admin".
  • Uses weak or ineffective credential recovery and forgot-password processes, such as "knowledge-based answers," which cannot be made safe.
  • Uses plain text, encrypted, or weakly hashed passwords data stores (see A02:2021-Cryptographic Failures).
  • Has missing or ineffective multi-factor authentication.
  • Exposes session identifier in the URL.
  • Reuse session identifier after successful login.
  • Does not correctly invalidate Session IDs. User sessions or authentication tokens (mainly single sign-on (SSO) tokens) aren't properly invalidated during logout or a period of inactivity

OWASP - Prevent Broken Access Control

  • Except for public resources, deny by default.
  • Implement access control mechanisms once and re-use them throughout the application, including minimizing Cross-Origin Resource Sharing (CORS) usage.
  • Model access controls should enforce record ownership rather than accepting that the user can create, read, update, or delete any record.
  • Unique application business limit requirements should be enforced by domain models.
  • Disable web server directory listing and ensure file metadata (e.g., .git) and backup files are not present within web roots.
  • Log access control failures, alert admins when appropriate (e.g., repeated failures).
  • Rate limit API and controller access to minimize the harm from automated attack tooling.
  • Stateful session identifiers should be invalidated on the server after logout. Stateless JWT tokens should rather be short-lived so that the window of opportunity for an attacker is minimized. For longer lived JWTs it's highly recommended to follow the OAuth standards to revoke access.

OWASP - Prevent Cryptographic Failures

  • Classify data processed, stored, or transmitted by an application. Identify which data is sensitive according to privacy laws, regulatory requirements, or business needs.
  • Don't store sensitive data unnecessarily. Discard it as soon as possible or use PCI DSS compliant tokenization or even truncation. Data that is not retained cannot be stolen.
  • Make sure to encrypt all sensitive data at rest.
  • Ensure up-to-date and strong standard algorithms, protocols, and keys are in place; use proper key management.
  • Encrypt all data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server, and secure parameters. Enforce encryption using directives like HTTP Strict Transport Security (HSTS).
  • Disable caching for response that contain sensitive data.
  • Apply required security controls as per the data classification.
  • Do not use legacy protocols such as FTP and SMTP for transporting sensitive data.
  • Store passwords using strong adaptive and salted hashing functions with a work factor (delay factor), such as Argon2, scrypt, bcrypt or PBKDF2.
  • Initialization vectors must be chosen appropriate for the mode of operation. For many modes, this means using a CSPRNG (cryptographically secure pseudo random number generator). For modes that require a nonce, then the initialization vector (IV) does not need a CSPRNG. In all cases, the IV should never be used twice for a fixed key.
  • Always use authenticated encryption instead of just encryption.
  • Keys should be generated cryptographically randomly and stored in memory as byte arrays. If a password is used, then it must be converted to a key via an appropriate password base key derivation function.
  • Ensure that cryptographic randomness is used where appropriate, and that it has not been seeded in a predictable way or with low entropy. Most modern APIs do not require the developer to seed the CSPRNG to get security.
  • Avoid deprecated cryptographic functions and padding schemes, such as MD5, SHA1, PKCS number 1 v1.5 .
  • Verify independently the effectiveness of configuration and settings.

OWASP - Prevent Insecurity Configuration

  • Establish and use a secure development lifecycle with AppSec professionals to help evaluate and design security and privacy-related controls
  • Establish and use a library of secure design patterns or paved road ready to use components
  • Use threat modeling for critical authentication, access control, business logic, and key flows
  • Integrate security language and controls into user stories
  • Integrate plausibility checks at each tier of your application (from frontend to backend)
  • Write unit and integration tests to validate that all critical flows are resistant to the threat model. Compile use-cases and misuse-cases for each tier of your application.
  • Segregate tier layers on the system and network layers depending on the exposure and protection needs
  • Segregate tenants robustly by design throughout all tiers
  • Limit resource consumption by user or service

OWASP Security Logging and Monitoring

  • Ensure all login, access control, and server-side input validation failures can be logged with sufficient user context to identify suspicious or malicious accounts and held for enough time to allow delayed forensic analysis.
  • Ensure that logs are generated in a format that log management solutions can easily consume.
  • Ensure log data is encoded correctly to prevent injections or attacks on the logging or monitoring systems.
  • Ensure high-value transactions have an audit trail with integrity controls to prevent tampering or deletion, such as append-only database tables or similar.
  • DevSecOps teams should establish effective monitoring and alerting such that suspicious activities are detected and responded to quickly.
  • Establish or adopt an incident response and recovery plan, such as National Institute of Standards and Technology (NIST) 800-61r2 or later.

OWASP sections © Copyright 2021 - OWASP Top 10 team http://creativecommons.org/licenses/by/3.0/deed.en_US

OWASP sections © Copyright 2021 - OWASP Top 10 team http://creativecommons.org/licenses/by/3.0/deed.en_US