PAM and AWS: Keeping pace with AWS privileged accounts
Chris Smith
Amazon Web Services (AWS) gives IT and development teams tools to move fast and change direction on a dime. Privileged accounts for AWS resources are created quickly and maybe abandoned just as quickly. With such a fluid process, it’s difficult for security teams to stay on top of how many privileged accounts have access to AWS, make sure they’re set up properly, and remove them when they’re no longer needed.
PAM oversight is especially important to secure systems like AWS, which are easily misconfigured, inviting attacks.
AWS misconfigurations are rampant
Analyzing billions of anonymized cloud events, McAfee found organizations typically have at least 14 misconfigured IaaS instances running at any given time, resulting in an average of 2,269 misconfiguration incidents per month. These can be as simple as forgetting to check a box during setup.
The most common misconfigurations include:
· Unrestricted access
· Lack of inbound and outbound data encryption
· Failure to turn on Multi-Factor Authentication (MFA)
On top of these issues, 5.5% of all AWS S3 buckets are misconfigured. Most organizations have at least one AWS S3 bucket set with “open write” permissions, giving anyone and everyone access to inject data into cloud environments, including malicious code that could modify records.
Jeff Barr, Chief Evangelist for Amazon Web Services, recently announced public access settings for S3 buckets to help AWS customers prevent data breaches caused by incorrect S3 security settings.
That’s great news. But we don’t think it’s enough to protect highly privileged accounts like AWS.
Essential PAM controls for AWS
PAM solutions are designed to enforce consistent PAM best practices every time a new AWS account is set up, whether that’s by the security team, the infrastructure team, or a single developer building an application.
When you set up compute resources with AWS there are several actions you can take to reduce risk:
• Secure AWS privileged credentials in a PAM vault
• Automate high-speed secret creation, archiving, retrieval and rotation
• Limit access to the AWS control panel
• Confirm MFA is required for root access to AWS
• Set up session monitoring and recording for root account activity
• Add in workflow rules for approval or dual control
Additionally, to match the fluid nature of these accounts, continuous AWS account discovery is an essential cloud security control PAM teams need in their arsenal. It gives you the visibility to check that best practices are being followed.
What about native IAM/PAM capabilities offered by AWS?
AWS does offer capabilities to manage identities and privileges. For some organizations, these controls are enough to get up and running. Certainly, they are better than no PAM at all. These controls are stretched when addressing the more advanced requirements of PAM, especially in hybrid or multi-cloud environments.
As a PAM leader, your goal is to empower your entire company to follow consistent PAM policies, whether they’re using AWS, Azure, SaaS, or on-premise solutions. When you set up session management rules or run reports for compliance, you’ll want to see all privileged account usage in a single, consolidated view. It’s more efficient to manage AWS credentials from your central PAM solution, rather than implement a special purpose tool that only works on one IaaS platform.
Thinking about how to secure your AWS environment?
You can read more about how PAM solves AWS and other cloud security challenges in the whitepaper:
Critical Controls for Modern Cloud Security.