AWS re:Inforce 2024
Using Aws Scps to Achieve Least Privilege While Supporting Devs Iam325 S

Title: AWS re:Inforce 2024 - Using AWS SCPs to achieve least privilege while supporting devs (IAM325-S)

Insights:

  • Introduction to SCPs for Least Privilege: The session focuses on using AWS Service Control Policies (SCPs) to achieve least privilege in AWS accounts, addressing the challenges of managing individual policies for numerous identities.
  • Challenges with Traditional IAM Policies: Traditional methods of editing individual policies for identities are time-consuming and often ineffective due to the continuous creation of new identities.
  • Analysis of AWS Customer Accounts: Analysis of AWS accounts with 20 to 800 accounts revealed that nearly half of the identities have sensitive permissions, but only 8% of those have used them in the last 90 days, indicating a significant amount of dormant identity risk.
  • Zombie Identities: Identities that haven't been used in a long time, termed "zombies," are prevalent, with some accounts having identities unused for up to five years. This issue is more pronounced with machine identities compared to human identities.
  • Machine Identities Neglect: Organizations often have processes for managing human identities but neglect machine identities, leading to a buildup of unused identities.
  • Reluctance to Delete Unused Identities: Despite tools available to delete unused identities, organizations hesitate due to concerns about needing them in the future or not knowing how to restore them.
  • Scaling with SCPs: Instead of managing individual policies, using SCPs to deny sensitive permissions globally can be more effective. This approach focuses on around 1,000 critical permissions rather than all 14,000.
  • Implementing SCPs: SCPs can be applied at different levels of the organizational unit (OU) tree to manage permissions effectively. Using attribute-based access and other AWS controls can help scale this approach.
  • Handling New Identity Needs: AWS provides tools to detect when an identity tries to use a permission it doesn't have, allowing for quick adjustments to permissions through automated workflows.
  • Centralized Control and Rapid Adjustments: Using SCPs allows for centralized control and rapid adjustments to permissions, ensuring that only necessary permissions are granted while maintaining least privilege.
  • Early Warning System: The system can act as an early warning mechanism, alerting teams when unexpected actions are attempted by identities, enhancing security monitoring.

Quotes:

  • "I've spent about the last four years of my life trying to get to least privilege in AWS accounts by editing individual policies on individual identities."
  • "Almost half of the identities have at least one of these sensitive permissions granted to it. But what is more interesting is out of that half, only 8% of those identities have ever used it in the last 90 days."
  • "The longer you've been in cloud, the more zombies you have. Basically identities that are sitting there, they haven't been used in a long period of time."
  • "We as companies have built this great process for identity with people... But when you look at the machine identities... all the version A identities got left behind."
  • "There's a better way to deal with this, and we'll talk about that in a minute, also using SCPs."
  • "What if we used SCPs? But instead of looking at 14,000 individual permissions in AWS, let's look at the stuff that's really bad. There's really only about 1,000 of those permissions."
  • "When you see that message, you now know that somebody has tripped over one of these rules, and now you can trigger a flow."
  • "You get this kind of immediate move to least privilege. It's not perfect least privilege. It's only these thousand permissions."
  • "You get kind of out of the way of the developer. You can actually use self-approval where those kind of chat op messages or whatever you use for a flow go directly to the developers themselves."
  • "What a great early warning system when somebody that's not supposed to get access to the identity gets access to it and you tell the team, by the way, the GitOps role just tried to create an access key at 2 o'clock in the morning."
Users and Their Data Modern Access and Audit Patterns on Aws Iam301Using Generative Ai to Create More Secure Applications Aps321