In talking about Cloud Security, I believe that there are 3 main points to take care of: IAM Permissions, Control Plane Configuration (AWS API), and Cloudtrail for Control Plane Monitoring. When we are talking about Cloud Misconfiguration, Permissions, and Monitoring, we are mostly talking about second stage attacks (unless some configurations that make information public) where you probably need some credentials (access_key && secret_key) with privileges to perform actions that could impact privilege escalation, resource exposure, crypto mining, infrastructure modification and access to sensitive data. To perform something, you must have permissions. IAM with Least Privilege is a crucial point to any company to improve their security posture in an AWS world and to avoid problems when a Valid Account is leaked, stolen, or accessed for some reason from an authorized one. Thinking about how to detect policies that aren’t following the least privilege concept, the Salesforce Cloud Team developed a tool called Cloudsplaining, where its main focus is to identify violations of least privilege. The problem we noticed, when running multiple AWS accounts, is it’s hard to set a prioritization based only on standalone reports per account. So, we added another step into this great tool: ingest results into Elastic Stack so we can help prioritize when you have hundreds of policies to analyze, giving it a new way to score based on Cloudsplaining output using the information as Resources, Total Actions per Risk, Combination of Risks and so on. Besides scoring, this will help to prioritize which policies should be acted first. We will share dashboards, tips, and steps to mitigate problems a policy with excessive privileges (but necessary) could cause. In summary, at the end of this presentation, we will show a faster way to prioritize your assessment over hundreds of excessive privilege policies, pointing where are the most critical problems and with some mitigations tricks.
