The principle of least privilege states that a subject should be given only those privileges needed for it to complete its task. The concept is not new, but our recent research on 18,000 production cloud accounts across AWS and Azure showed that 99% of the cloud identities were overly-permissive. The majority of the identities only used less than 10% of their granted permissions. The excessive permissions on top of the growing number of identities also significantly increased the risk of privilege escalation.
These findings raised a few questions. Are we all doing something terribly wrong? Is the principle of least privilege a realistic and necessary goal in modern cloud environments? What can be done to mitigate the problem?
In this talk, I will start with some interesting/concerning findings from the analysis of 80,000 cloud identities. Knowing the problems and risks, I will then dive into an open-source tool IAM-Deescalate we developed to help mitigate the privilege escalation risks.
IAM-Deescalate is a simple but effective tool. Its sole purpose is to identify the principals (users and roles) in an AWS account that can escalate to AdministratorAccess privilege and remediate the risks by revoking a minimal set of permissions. IAM-Deescalate models the relationship between every principal as a graph using PMapper. It then identifies the possible privilege escalation paths that allow non-admin principals to reach admin principals. For each path, IAM-Deescalate attempts to revoke a minimal set of permissions to break the path to remediate the risks. At the time of writing, IAM-Deescalate can remediate 24 out of the 31 publicly known privilege escalation techniques. On average, it remediates 75% of the privilege escalation vulnerabilities that existing open-source tools can detect.
I believe the talk can give audiences a new perspective on IAM security and introduce a new tool that fits well in every cloud practitioner’s toolbox.