Amazon Web Services (AWS): Why You Should Audit Permissions & Entitlements

Blog Articles

Amazon Web Services (AWS): Why You Should Audit Permissions & Entitlements

Why audit permissions and entitlements for AWS?

AWS’s shared responsibility model is the foundational agreement between the cloud service provider and its customers that defines the distribution of responsibilities associated with security and compliance. Ultimately, it is the responsibility of the organizations to secure their AWS cloud environment. The Capital One breach of 2019 made headlines and drove a deeper understanding of cloud misconfiguration. According to a report from Accurics, misconfigured storage services in 93 percent of cloud deployments have contributed to more than 200 breaches over 2018 and 2020.

Gartner and Forrester have published research and best practices under Cloud Infrastructure Entitlement Management (CIEM) and Cloud Identity Governance (CIG) respectively. The most alarming statistic around cloud security and highlighted by analysts at Gartner is that “Through 2025, 99% of cloud security failures will be the customer’s fault” so we must keep a close eye on misconfiguration to significantly reduce the risk of cloud failure.

SecurEnds, a SaaS based CISO’s choice of User Access Review product, has worked with a number of its existing clients to understand the role of entitlement reviews in remediating cloud misconfigurations. The sheer scale of number of resources per individual CSP offering, the number of identities (human and service accounts), and permissions makes the case for Cloud Identity Governance. Owning almost half the world’s public cloud infrastructure market, Amazon is the clear market leader.

Based on our recent work with customers wanting to audit entitlements and privileges, we found the following misconfiguration use cases driving the need:

  • Failure to remove unused or over-provisioned credentials
  • Failure to rotate keys
  • Failure to enforce the principle of least privileges for users
  • EC2 instances not having proper access to resources
  • No audit of “who has access to what” leading to shadow IT
  • Failure to check public access to S3 bucket

Organizations looking for a CIEM solution should consider the following checklist of questions:

  • Can you manage multiple accounts across multiple cloud providers?
  • Does the tool create customizable policies and compliance reports for SOX, NIST etc.
  • Can the tool identify relationships between cloud objects and services?
  • Can the tool visualize the entitlements and allow action to be taken on security violation?

SecurEnds Cloud Infrastructure Entitlement Management (CIEM) enables organizations to discover human and machine identities across all of the AWS cloud environment on an ongoing basis. Lack of visibility of who has access to what opens up attack vectors for malicious attackers to exploit. After the discovery of these identities, SecurEnds proprietary Mind Map makes it easy for the admins to undertake access certification or remediation. SecurEnds allows administrators to do access periodic access certifications across all user types. This is of tremendous value because the organizations affected aren’t typically able to identify the misconfigurations until a malicious actor does the damage and it’s too late to protect their sensitive data.

✍ Article by Abhi Kumar Sood