Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

10:00 AM
Shai Morag
Shai Morag
Connect Directly
E-Mail vvv

7 Steps to Avoid the Top Cloud Access Risks

Securing identities and data in the cloud is challenging, but a least-privilege access approach helps.

According to the latest Cloud Security Alliance (CSA) report on the 11 biggest threats to cloud computing, misconfiguration and inadequate change control ranked second only to — you guessed it — data breaches.

The Capital One incident, in which data on 106 million credit card customers and applicants was exposed, is a good example. The attackers exploited a vulnerability in an open source web application firewall (WAF) that was being used as part of the bank's cloud-based operations in Amazon Web Services (AWS).

Through this vulnerability, the attacker could nab credentials to gain access into all the resources to which the WAF had access. Unfortunately, the WAF was assigned excessive permissions — namely, it (and the attacker) could list all the files in any bucket of data and read the contents of those files. This allowed the attacker to access a sensitive S3 bucket.

The most effective way to mitigate this type of identity abuse is by enforcing the principle of least privilege. [Editor's note: The author's company is one among many that use a least-privilege access approach to cloud security services.] Ideally, every user or application should be limited to only the exact permissions required.

The first step for implementing least privilege is understanding which permissions a user (whether human or machine) or application has been granted. The next step is to map all the permissions actually being used. Comparing the two reveals the permission gap, which exposes those that should be maintained and those that should be revoked. This process must be routinely performed on a continuous basis to maintain least privilege over time.

To illustrate how this process works in the cloud, let's use AWS because it is the most popular platform and offers one of the most granular identity and access management (IAM) systems available. AWS IAM is a powerful tool that allows administrators to securely configure more than 2,500 permissions (and counting) to achieve fine-grained control over which actions can be performed on a given resource.

Step 1: Examine Attached Policies
The first step is to examine policies attached directly to the user. There are two types of policies:

  • Managed policies, which come in two varieties: (a) AWS managed policies that are created and managed by the cloud service provider (CSP), and (b) customer-managed policies that an organization can create and manage in its AWS account. Customer-managed policies typically provide more precise control than AWS-managed policies.

  • Inline policies, which are created by the AWS customer and are embedded in an IAM identity (a user, group, or role). They can be embedded in an identity when the identity is initially created or added later.

Step 2: Analyze IAM Groups
The next step is to review each of the IAM groups to which a user belongs. These also have attached policies that indirectly grant a user access to additional resources. Just as with the user itself, groups may be attached to both managed and inline policies.

Step 3: Map IAM Roles
Now, all IAM roles attached to a user need to be mapped. A role is another type of identity that can be created in an organization's AWS account with associated policies that grant specific permissions. It is similar to an IAM user, but instead of being uniquely associated with a person, a role can be assigned to anyone who requires its permissions. Roles are often used to grant access permissions to applications.

Step 4: Survey Resource-Based Policies
Next, the focus of this exercise shifts from user policies to policies attached to resources such as an AWS bucket. These policies may grant a user permission to perform actions on a bucket directly, independent of all other policies (direct and indirect) that exist. It's extremely important to conduct a comprehensive review of all AWS resources and their policies, especially those that contain sensitive data.

Step 5: Analyze Access Control Lists
Once the policy review is complete, analysis should move to the access control lists (ACLs) linked to each resource. These are similar to resource-based policies and allow control over which identities in other accounts may access the resource. Since ACLs cannot be used to control access for identities within the same account, it is possible to skip all resources held in the same account as the user.

Step 6: Review Permission Boundaries
In this step, we need to review the permissions boundary for each user. This is an advanced feature that defines the maximum permissions a user, group, or role may have. In other words, a permission boundary for a user defines the actions they are allowed to perform based on both the attached policies and the permissions boundaries. It is important to note that permissions boundaries do not affect every policy the same way. For example, resource-based policies are not limited by the permissions boundary and an explicit deny in any of these policies overrides the allow.

Step 7: Check Service Control Policies
Finally, it's necessary to review service control policies (SCPs). These are conceptually similar to permission boundaries defined on all the identities (that is, users, groups, and roles) within an AWS account. An SCP is defined at the AWS organization level, and may be applied to specific accounts.

Enforcing Least-Privilege Access
As we've seen, securing identities and data in the cloud is challenging, and becomes increasingly more complex as organizations expand their cloud footprint. In many cases, users and applications tend to accumulate permissions that far exceed their technical and business requirements, which results in a permissions gap.

Often, the effort required to determine the precise permissions necessary for each user or application in a complex environment like AWS is prohibitively expensive and doesn't scale. Even simple tasks like understanding the permissions granted to a single human user can be extremely difficult.

In an attempt to automate some of these processes, a few years ago AWS released a tool called Policy Simulator that enables administrators to select any AWS entity (that is, an IAM user, group, or role) and service type (such as a Relational Database Service or an S3 bucket) and automatically assess the user permissions for a specific service.

Although Policy Simulator is a great tool, it's far from mature. For example, Policy Simulator does not review all the roles a user may assume and their policies (Step 3). It also does not consider ACLs (Step 5) or permission boundaries (Step 6). In most instances, organizations are forced to perform manual policy management or write proprietary scripts.

As we've seen, managing identities and access in cloud environments to enforce least privilege policies is complicated, labor intensive, and expensive. Since this discipline is still in its infancy, it lacks reliable native tools from cloud platform providers. As is usually the case, third-party solutions are emerging to fill the void.

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Shai Morag is CEO of cloud identity and access security provider Ermetic. Previously, he was co-founder and CEO of Secdo, an incident response platform vendor acquired by Palo Alto Networks, and CEO of Integrity-Project, a software outsourcing company acquired ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.