Managing cloud permission security at scale [Cheat Sheet]
So you’re using the cloud and things are going great, but after a few months, you start to run across these common issues:
Issue 1 – Cloud Zombies
One issue is you’ve got resources (like IAM Users and Roles) that were created in your cloud accounts, but no one seems to know what they are, why they’re there, or what they do.
You really want to delete these zombies because they increase your attack surface, but you’re worried that if you do that, it will affect something else that you hadn’t thought of.
After all, someone deployed them…but no one seems to remember why.
So, you leave the zombies alone for now and you tell yourself ‘I’ll handle this later.’ Six months later, the same scenario and the same conversation takes place, except this time the zombies have multiplied.
Issue 2 – Excessive Privileges
Another issue is that most resources and identities in your cloud environments have more privileges than they need.
You’d initially given them more privileges than needed so they could get the job done, and you told yourself you would go back through and refine them over time.
But life and other priorities got in the way, and that never happened…
You’re now left with excessive privileges all over the place, which can lead to privilege escalation attacks.
Solutions:
If this post describes your current situation, you are not alone. Most people reading this are probably in the exact same situation, and I’d be lying if I said that I didn’t have improvements to make in my own accounts. These are issues most organizations wrestle with. So what can you do?
Here are some solutions you can implement as a start (more in the cheat sheet):
- Disable/limit ‘ClickOps’ and instead deploy/manage with Infrastructure as Code
- Enable drift prevention & detection
- Regularly scan accounts with automated tooling & prioritize what to address first
- Quarantine found zombies
- Lock down unused services & regions
- Limit / remove excessive privileges
- Implement permissions on demand
Example scenario of permissions on demand:
- A quarantined zombie attempts to modify a security group rule
- They automatically get blocked, but a notification gets sent to Slack
- You (a team lead/manager) can either approve or reject the permission change
- If you approve, it will de-quarantine the zombie and grant needed permissions
- If you deny, it will keep the zombie quarantined and deny the change, and you can investigate
The Cloud Permissions Firewall from Sonrai Security helps solve both of these issues with a click of a button, and I collaborated with them to create this cheat sheet. In exchange, they’re providing readers with a link to try it for free.
Check it out and let me know what you think, and comment if you have other tips/tricks on how to address these!
Responses