It doesn’t matter how high your castle walls are - you're not protected if anyone can find the key to the main gate. That’s why castles traditionally have portcullises, a gate that someone can only open inside the castle. In a sense, they use a form of Discretionary Access Control.
When nearly 50% of data breaches involve stolen credentials, it's time to review and install the "portcullises" needed in your infrastructure to protect your organization's “castle.” In the business world, these are access controls managed by IAM policies.
From managing human and machine identities to analyzing resource access - creating and managing IAM policies is no walk in the park. We are here to walk you through seven IAM policy mysteries and how to improve your cloud IAM policy plan.
Cloud IAM Policy - The Rising Challenges
IAM policies are a vital piece of your Cloud Identity Management puzzle. When the end goal is securing your cloud infrastructure, it starts with adequately managing access credentials (human and machine identities) - and setting some rigid rules.
In an attempt to save time updating policies frequently, it’s common to see organizations granting too much access to resources without keeping track of who or what actually needs access to which resource. This lack of control over given privileges can be a significant block in implementing IAM efficiently. But there are other growing challenges in maintaining coherent, secure, and reliable IAM policies:
Complex Policies - The growing number of cloud resources can increase complexity.
Security - Tracking access privileges isn’t enough. You must also track access requirements to prevent privilege escalation and data leaks.
Compliance Requirements - Many compliance standards, such as GDPR and CCPA, require robust IAM policies and logging.
Integration - On-premise and cloud resources may operate under different rules.
User Experience - Ensuring security without compromising productivity is challenging.
Cost Management - Implementing and maintaining robust IaM policies can be costly, especially for small and medium-sized businesses.
Lack of Expertise - IAM tools help reduce the skill level required to implement and manage policies, but expert teams are required to maintain security.
Technologies - Cybersecurity is at the forefront of technology innovation. Simply keeping up with the hot new stuff can be a full-time job.
IAM Policy Types
There is no one-policy-fits-all, as much as that would simplify IAM. Every cloud platform has a slightly different set of policies you can use to define access privileges. As an example, here are the AWS policy types and what they mean:
These policies map access privileges onto users, groups, and roles. They can be defined inline (strict one-to-one relationships) or managed (can be attached to multiple identities).
Rather than being attached to an identity, these policies are connected to a resource such as an Amazon S3 bucket. They grant access to specified resource principles, such as individual identities or entire AWS accounts.
A high-level policy that can limit the maximum permissions that a user or group can grant to new users or groups. It only applies to identity-based policies and does not grant any access privileges.
An AWS Organizations service control policy (SCP) defines the maximum number of permissions granted to an organization or a large group within the company. They work for identity and resource-based policies and are best for limiting access on a larger scale.
Session policies limit the permissions granted to users or roles within a specific AWS session. They are often coupled with AWS temporary security credentials, such as those obtained through AWS Single Sign-On (SSO).
Most organizations will only require identity and resource-based policies to assign permissions adequately.
7 IAM Policy Mysteries Unraveled - The Essential Cloud IaM Policy Guide
1. Principle of Least Privilege
The principle of least privilege is at the core of any good IAM policy. Assigning the minimum required permission to allow users or machines to perform their tasks or functions is the ideal way to limit the potential for privilege escalation. Compartmentalizing IAM access privileges means that if a malicious actor acquires access credentials, their reach will be limited to the scope of the user, slowing them down.
However, manually granting permissions when required and revoking them when they are no longer in use is a cumbersome operation. This issue is further exacerbated when machine-to-machine access privileges are involved. Slauth.io observes real-time activity by tracking API calls from end-to-end tests to AWS and then creates your IAM policies based on actual usage, only granting permissions where needed.
2. Understanding Roles
So, each team member is given just enough permissions to get by and perform their tasks. But what happens when employees or third parties need to access your resources temporarily? Roles happen.
IAM roles are essentially an IAM identity with specific permissions. They are similar to users but can be assigned to whoever - a current AWS user, a third-party user in a different AWS account, or an AWS web service. So, unlike an IAM user, they are not linked to a particular individual and can be assigned to people whenever they need. Role sessions have temporary security credentials, which is excellent. But how do you map out which person needs what and at when? You need the help of security automation tools.
Slauth.io can create secure IAM policies from scratch based on the actual activity of your identities. By analyzing current permissions, Slauth.io creates custom IAM roles that meet your organization’s requirements and adhere to the least privilege principle. Automating IAM role creation - check!
3. Complexity of Policy Syntax and Structure
The JSON-based syntax requires you to be highly detailed and careful because any small typo or error can cost you a security breach. Plus, you need a solid understanding of AWS IAM and its unique designations and features. No magic wand removes the complexity of an IAM policy syntax and structure (sorry!).
However, understanding the core components of an IAM policy is one significant step in the right direction. Slauth collaborated with Cybr to produce an IAM policy cheatsheet, which explains the anatomy of IAM policies in AWS in detail and provides an example of a cross-account access policy. Check it out to see exactly what each policy component means.
4. Conflicting and Overlapping Policies
Sometimes, overlapping and conflicting policies can produce unexpected results. And when we say unexpected, we mean for us humans. Machines will always interpret these policies consistently, but the interpretation may be unintuitive.
The easiest way to avoid this issue is to avoid having conflicting and overlapping policies (surprise!). However, that is not always an option. The second best option is to understand the logical resolution of these policies. The above chart is from AWS policy evaluation logic. It shows a clear preference for denying access over allowing, which makes sense as you would rather err on the side of caution regardless.
5. Auditing and Monitoring Policies
Even if you have produced a perfect set of policies (which is practically impossible, let’s be honest), you must audit, log, and monitor policies and activities to ensure compliance, prevent privilege escalation, and shut down suspicious activity. Effective auditing isn’t feasible without specialized tools, as a human reader cannot scan access logs to determine if an account has been compromised.
Slauth.io gives you 360º visibility over your identities’ activity by tracking logs throughout your SSDLC. This improved view lets you quickly detect suspicious behavior and remediate issues before they become serious security breaches. Plus, storing activity will make it easier to prove compliance with key regulations such as SOC and GDPR whenever needed.
6. Managing the Full Lifecycle of Identities
Rotating passwords is a common practice when a high level of security is required, but identities and policies are often overlooked. Managing the lifecycle of identities is critical to ensuring cloud security is maintained over time, as malicious actors can easily exploit unused access privileges (especially if these are not being monitored). This process goes from creating and provisioning identities to deprovisioning or eliminating them when they are no longer used.
Start with a thorough onboarding process (it’s always best to get it right from the start), and continuously monitor and update identities as business needs change or people leave the company. And if there is any security gap or suspicious behavior - you can easily spot it with Slauth.io.
7. Policy Communication
Policies can and will be enforced by systems, but ensuring policies are coherently communicated to stakeholders may be more complex than it first appears. An organization-wide plan is necessary to ensure everyone knows which access privileges they need. It is also pertinent that stakeholders understand the need for the least privilege principle and relinquish access to resources they are not using.
IAM keeps you on your toes
IAM is an ever-shifting maze, and you must keep on your toes to close the security gaps bound to form in your policy structure. Create a well-documented outline of your IAM policies and update them as often as needed; use automated tools to close gaps or keep them as small as possible; and don’t forget to monitor and log IAM activity and policies to ensure the longevity of your security plan. Slauth.io can help you bypass many of the complexities of IAM policy creation and maintenance.
Try a 30-day free trial today.