Achieving Least Privilege Permissions in AWS
One of the basic principles of cloud security is the Principle of Least Privilege. The idea is simple: give every user or process the minimal amount of permissions that are required to get job done. But, in practice, the majority of organizations fail its execution.
AWS IAM complexities
AWS Identity and Access Management (IAM) is a powerful service that enables you to manage access to AWS services and resources securely. IAM gives you fine-grained access control over which actions can be performed on a given resource in AWS. However, it introduces a new level of complexity with over 3,600 permissions and more than 130 services in a bucket. Such a large granularity is a problem for engineering teams, as they need to know exactly which AWS permissions are necessary for their applications to work correctly. Otherwise, exceeded permissions is a potential security breach for attackers.
AWS CloudTrail to the rescue
AWS CloudTrail is a service that enables operational auditing of your AWS account. With CloudTrail, you can continuously monitor account activity related to actions across AWS infrastructure.
Rather than focussing on precise permissions required for each application you can follow approach with continuous access profiling and further permissions right-sizing. This way you can deploy your applications with a basic set of permissions and then use profiling and audit data to remove permissions that are not used. By continually re-iterating this approach and removing unused permissions, you may finally comply with least privilege principle.
We released IAMkeeper as a free SaaS to provide an auxiliary tool for profiling and auditing your AWS Policy permissions to achieving Least Privilege Principal.
It gives a new level of visibility for service usages and fully focussed on policy permissions right-sizing. We believe it’s a good starting point to analyze your AWS account activity and revise your policy permissions.
Feel free to try it and we welcome for your feedback:
Now we actively work on introducing automated workflows and pipelines to setup flexible rules and policies that would be applied over time to cut unused permissions. We expect this functionality will help development teams to build and operate secure systems as easy as possible and no longer worry about IAM permissions details. Stay in touch!