7 Steps to Avoid the Top Cloud Access Risks
Securing identities and data in the cloud is challenging, but a least-privilege access approach helps. The Capital One incident, in which data on 106 million credit card customers and applicants was exposed, is a great example in which misconfiguration and inadequate change control enabled the attackers to exploit a vulnerability in an open source web application […]
By Shai Morag
Securing identities and data in the cloud is challenging, but a least-privilege access approach helps.
The Capital One incident, in which data on 106 million credit card customers and applicants was exposed, is a great example in which misconfiguration and inadequate change control enabled the attackers to exploit a vulnerability in an open source web application firewall (WAF) that was being used as part of the bank's cloud-based operations in Amazon Web Services (AWS).
Through this vulnerability, the attacker could nab credentials to gain access into all the resources to which the WAF had access. Unfortunately, the WAF was assigned excessive permissions — namely, it (and the attacker) could list all the files in any bucket of data and read the contents of those files. This allowed the attacker to access a sensitive S3 bucket.
The most effective way to mitigate this type of identity abuse is by enforcing the principle of least privilege. Ideally, every user or application should be limited to only the exact permissions required.
This article details seven steps in which cloud access risks can be avoided, including:
- Examining attached policies
- Analyzing IAM groups
- Mapping IAM roles
- Surveying resource-based policies
- Analyzing access-control lists
- Reviewing permission boundaries
- Checking service control policies
For the full article in DarkReading.com and to learn more about each of the seven steps, click here.
