AWS re:Inforce 2024
How Picpay Achieved Temporary Elevated Access Control on Aws Iam323

Title: AWS re:Inforce 2024 - How PicPay achieved temporary elevated access control on AWS (IAM323)

Insights:

  • Introduction and Context: The speaker, Edgar, a cloud security manager at PicPay, discusses the challenges and solutions related to managing temporary elevated access control in AWS production environments.
  • Company Background: PicPay, a Brazilian financial institution founded in 2012, has grown significantly, now serving 36 million active users and employing over 3,600 people. The company offers various financial services, including bill payments, credit cards, loans, and insurance.
  • Growth and Challenges: With rapid growth, PicPay faced challenges such as protecting the environment from unexpected changes, reducing Mean Time to Recovery (MTTR) for incidents, and identifying changes that could break applications.
  • Security Issues: Untracked changes in the production environment could lead to downtime and expose the environment to risks, such as disabling critical security features.
  • Solution Implementation: PicPay, with the help of AWS Pro Service Team, implemented AWS Team, an open-source project for managing elevated access. This solution provides just-in-time access, validates legitimate needs, and grants time-bound access.
  • Access Control Mechanism: The implementation involves using AWS SSO federated with Active Directory for access management. Long-term permissions are managed through AWS Identity Center permission sets.
  • Rules and Permissions: Specific rules were defined for who can request and approve access, the maximum session time (set to four hours), valid actions for elevated permissions, and tracking changes via CloudTrail.
  • Approval Workflow: The approval process involves BU tech teams requesting access, which BU managers can approve or deny. Approved requests grant temporary credentials for accessing target accounts.
  • Benefits and Results: The implementation allows for easy tracking of changes, ensures BU heads are aware of changes in their environments, reduces MTTR, and protects foundational platform services from unauthorized changes.

Quotes:

  • "How many of you have problems with the AWS Cloud Account users with production with admin accessing production environments?"
  • "Our role, our cloud security team, it provides guardrails for the developers, focus solely on their development, and not worry about the exposed environment of big pay for a risk."
  • "With AWS Team, we can have just-time access, we can only validate the legitimate need for it and grant time-bound access."
  • "The maximum session time is four hours, because we believe it's enough to solve any incident. But if the user need more access, they need to request access again."
  • "Now we can track the chains easily using AWS CloudTrail. We can ensure that the BU heads know about the change in their environments."
  • "We can protect our foundational platform service because it's a big problem when someone changes a route table, for example."
How Organizations Are Actually Applying Aws Security Best Practices Com224How to Fail at Building a Security Champions Program Aps326