Closing the Cloud Permissions Gap to Achieve Zero Trust: An AWS Risk AssessmentJanuary 26, 2021
Author: Raj Mallempati, COO of CloudKnox
Whether it is to adapt to remote work, improve innovation, or build agile teams, organizations continue to prioritize digital transformation for myriad reasons. And, while there are many business benefits to digital transformation strategies—from boosted productivity to tools that unlock new functions—there are also significant cloud infrastructure security risks that enterprises must mitigate to benefit from their investments fully.
An organization must also carefully balance this emphasis on digital transformation with Zero Trust. A major pillar of the Zero Trust model is the ability to limit excessive user entitlements. Yet, in the cloud, this is very difficult to accomplish when cloud service providers are adding new services and permissions, developing at such a fast pace and attempting to understand the complexity of thousands of permissions daily.
A major cloud security risk, as an example, is associated with the human and non-human identities operating within organizations’ hybrid and multi-cloud environments. In fact, through extensive research and analysis evaluating organizations using Amazon Web Service (AWS), CloudKnox Security Research Labs has discovered a significant delta between permissions granted and permissions used in these environments. This delta is called the Cloud Permissions Gap, and it is a contributing factor to the rise of both accidental and malicious insider threats impacting enterprises of all sizes. Here, attackers are able to exploit an identity with elevated permissions and access across the organization’s critical cloud infrastructure while the organization is unable to implement and manage Zero Trust policies.
Since the Cloud Permissions Gap is challenging to navigate and poses an immediate threat, CloudKnox takes a deeper look into the AWS risk assessment for cloud permissions management to outline where the risks are and offer best practices to mitigate them.
What is the Cloud Permission Gap, and why is it dangerous?
The Cloud Permissions Gap exists across any organization that has adopted public cloud or hybrid cloud infrastructures, making the organization incredibly vulnerable to both accidental and malicious threats. How does this happen, and why is it universally prevalent? Although identities should only have the permissions they need for their specific job functions, a CloudKnox assessment of more than 150 global enterprises uncovered that more than 95% of all identities accessing their organizations’ AWS infrastructure are using less than 2% of their permissions granted. Even worse, 40% of all AWS roles were reported as inactive or over permissioned.
But that’s not all! Here are some other findings from AWS deployments that could yield scary results for global organizations, if not mitigated, with recommendations for how to do so:
- Cross-account access was frequently granted to external identities. Identities can assume all resources in target accounts, significantly increasing the likelihood of data leakage, service degradation or service disruption due to either malicious intent or accidental actions.
- Recommendation: Right-size scope of roles to access limited resources, and limit access to specific identities in other accounts.
- Administrators typically did not have Multi-Factor Authentication (MFA) enabled, and access keys were not rotated for more than 6 months. Administrators without MFA enabled login or access keys not rotated regularly create a higher risk of compromised credentials, which increases the attack surface.
- Recommendation: Enable MFA for all users with console access, and rotate access keys every 90 days, per AWS Well-Architected recommendations.
- Most enterprises had Elastic Compute Cloud (EC2) instances with access to all Simple Storage Service (S3) buckets. Malicious attackers can leverage these compromised EC2 instances to access sensitive data stores, like S3 buckets, leading to data breaches.
- Recommendation: Restrict broad access to all resources for applications on EC2 instances.
- Misconfigured security groups with inbound Secure Shell (SSH) port opened and attached to EC2 instances. An open security group allows network-based attacks to gain access to EC2 instances.
- Recommendation: No security groups should allow unrestricted ingress access to any ports.
- Identities with privilege escalation ability could elevate to super admin roles. Identities with hidden privilege escalation increases the risk of users gaining unauthorized access by escalating their access to administrator privileges.
- Recommendation: Review all identity policies for high-risks permissions, toxic combinations, and any privilege escalation possibilities regularly.
Over-permissioned identities leave organizations vulnerable to significant risks across their AWS environments and ostensibly make the CISO’s and security operations center (SOC) team’s lives more challenging and complicated than necessary, but it doesn’t have to be that way.
What can organizations do to secure their AWS environments?
It is significantly complex to manage permissions associated with any given human or non-human identity; and if the identities are not managed properly and continuously there is huge risk to the organization. However, it doesn’t have to be all doom and gloom within these multi-cloud environments. Here are three things an organization using AWS can—and should—do right now to secure their cloud infrastructure:
- Leverage activity-based authorization to right-size permissions of identities. Remove or scope down permissions automatically for over-privileged users, roles and groups. Enable high-risk permissions on demand with controlled timed access using an integrated approval workflow. Restrict broad access to critical cloud infrastructure resources.
- Identify, improve and monitor Identity and Access Management (IAM) hygiene continuously. Migrate from static, assumption-based permission grant processes to continuous, activity-based permissions management processes. Monitor, get alerts and remediate anomalous identity behavior, unauthorized identities and roles.
- Implement automated, continuous compliance and reporting. Restrict access to virtual machines by removing inbound SSH and remote desktop (RDP) access in security groups. Enable MFA for all identities with console access. Rotate credentials and manage keys regularly to reduce risk caused by compromised credentials. Automate and schedule custom risk reports across all accounts using NIST 800-53, CIS Benchmarks, PCI-DSS and AWS Well-Architectured reporting to drive compliance.
Ultimately, it is imperative that all organizations prioritizing digital transformation and cloud-first strategies leverage solutions for managing access and enforcing least privilege and Zero Trust access in the cloud. We know that despite existing solutions, the risks associated with over-permissioned identities—both human and non-human—will only be exacerbated by ever-growing move to and development in the cloud. And the delta between the permissions granted versus the permissions used across an organization’s cloud infrastructure is only getting more dangerous as bad actors exploit those identities to exfiltrate sensitive information from growing attack vectors, as demonstrated by the latest CSA (Cloud Security Alliance) report and infographic.
Moving forward, organizations applying best practices for cloud permissions management will be better suited to implement and manage Zero Trust policies and protect critical cloud infrastructure resources and identities, in both their hybrid and multi-cloud environments. Further, leveraging automated technologies—such as a cloud infrastructure entitlements management (CIEM) platform—allows organizations to reinforce such best practices. Collectively, these actions allow organizations to achieve one of Zero Trust’s guiding principles—limiting excessive permissions and a proactive security posture to risk.BACK TO BLOG