ACHIEVING LEAST

PRIVILEGE IN AWS
 LEAST PRIVILEGE IS A CRITICAL STEP IN
YOUR CLOUD SECURITY ROADMAP
In a survey of 300 CISOs across the United States, more than 70% of respondents
identied least-privilege as their most signicant challenge.

Securing identities and data in the cloud is extremely challenging, and many organizations
get it wrong. Yet recent events have proven that the risks associated with compromise of
identities and credentials cannot be taken lightly. The problem becomes increasingly acute
over time, as organizations expand their cloud footprint without establishing the capability
to effectively assign and manage permissions. As a result, users and applications tend to
accumulate permissions that far exceed technical and business requirements, creating a
large permissions gap.

The potential impact of lax authorization can be devastating. Attackers can use
compromised credentials with excessive permissions for misdemeanors like stealing time
and CPUs on your instances to mine Bitcoin. But excessive privileges can also enable a
threat actor to steal sensitive data or delete parts of the infrastructure.

THE CAPITAL ONE BREACH:

A WAKE-UP CALL TO CLOUD ADOPTERS
In one of the most discussed recent breaches, a staggering 106 million credit card
applications were exposed.

The Capital One breach is the perfect example of the risks associated with excessive access
permissions. Before we continue, we must emphasize our great respect for the bank. Capital
One has pioneered cloud computing in the banking industry, and its story is one common to
trailblazers who test out new technologies.

In a nutshell, the problem stemmed, in part, from a vulnerable open-source Web Application
Firewall (WAF) that Capital One was using as part of its operations hosted in the cloud with
Amazon Web Services (AWS), its Cloud Security Provider (CSP). This vulnerability allowed the
attacker to obtain credentials to access any resource in the account to which that WAF
had access.

In AWS, exactly what access is associated with a set of credentials depends on the
permissions assigned to the entity. In the case of Capital One, the vulnerable WAF was
assigned excessive permissions. More specically, it was allowed to list all the les in
sensitive data buckets and read the contents of each of those les. These excessive
permissions allowed the attacker to get access to a sensitive S3 bucket.

ACHIEVING LEAST PRIVILEGE IN AWS 2

 THE WAY TO LEAST PRIVILEGE: THEORY AND
PRACTICE
To mitigate risks associated with abuse of identities in the cloud, organizations are trying to enforce the
principle of least privilege. Ideally, every user or application should be limited to the exact
permissions required.

Let’s take AWS as an example, since it is the most popular cloud platform and offers one of the most
granular, and complex Identity and Access Management (IAM) systems available. AWS IAM is a powerful tool
that allows you to securely congure access to AWS cloud resources. With more than 2,500 permissions
(and counting), IAM gives users ne-grained control over which actions can be performed on a given
resource in AWS.

In theory, the rst step to achieve least privilege is to dene a policy that reects what access guardrails
should be in place. Then, you should understand which permissions a given user or application has and
continue to map all the permissions actually being used. Comparing the two reveals the permission gap and
enables you to decide which permissions to keep and which to remove. Finally, the permissions deemed
excessive are removed or monitored.

In practice, however, the effort required to determine the precise permissions necessary for each
application in a complex environment like AWS IAM is prohibitively expensive and does not scale.
Even a simple task, like understanding the permissions granted to a single human user, can be
extremely challenging.

Solutions exist that automate the monitoring and mitigation of cloud identities risk and enforce least
privilege policies. Every cloud security stakeholder should be building such solutions into their strategy and
immediate action plan.

ACHIEVING LEAST PRIVILEGE IN AWS 3

About Tenable Cloud Security
Tenable Cloud Security reveals,
prioritizes and remediates
security gaps in cloud
infrastructure. It unies and GET DEEP VISIBILITY – ASSESS RISKS & PROACTIVELY ENFORCE
MANAGE ASSETS AUTO-REMEDIATE POLICY & SHIFT LEFT
automates full asset discovery, Discover all human and Accurately detect and prioritize Dene and enforce automated

deep risk analysis, runtime machine identities, data

and compute resources,
at-risk identities and resources,
including toxic combinations, and
guardrails for identities, resources
and network conguration – from
threat detection and compliance, roles and policies. mitigate risky privileges and faulty dev to production – preventing
congurations while ensuring unauthorized access
and empowers stakeholders with business continuity

pinpoint visualization, guided

recommendations and
collaboration. Tenable Cloud
Security is a comprehensive DETECT ANOMALIES ENSURE COMPLIANCE AND
AND THREATS GOVERN ACCESS
cloud-native application Improve your security posture and Comprehensively audit compliance,
protection platform (CNAPP) protect against policy violations customize reports of violations
with continuous risk analysis that against leading industry standards
spanning cloud security
FIGURE 1:
checks for access anomalies against and investigate access including ROBUST CLOUD IDENTITY

posture management (CSPM), each cloud identity’s baseline evolving threats GOVERNANCE SOLUTIONS KEEP
ACCESS RISK IN CHECK

cloud infrastructure
AND PROACTIVELY ENFORCE
LEAST PRIVILEGE POLICY

entitlement management (CIEM),

cloud workload protection (CWPP),
Kubernetes security posture
management (KSPM) and
infrastructure as
Contact Us:
code (IaC) security.
Please email us at [email protected] or visit tenable.com/contact
About Tenable
Tenable® is the Exposure
Management company.
Approximately 43,000
organizations around the globe
rely on Tenable to understand
and reduce cyber risk. As the
creator of Nessus®, Tenable
extended its expertise in
vulnerabilities to deliver the
world’s rst platform to see
and secure any digital asset
on any computing platform.
Tenable customers include
approximately 60 percent of the
Fortune 500, approximately 40
percent of the Global 2000, and
large government agencies.
Learn more at www.tenable.com

COPYRIGHT 2023 TENABLE, INC. ALL RIGHTS RESERVED.

TENABLE, NESSUS, LUMIN, ASSURE, AND THE TENABLE
LOGO ARE REGISTERED TRADEMARKS OF TENABLE, INC.
OR ITS AFFILIATES. ALL OTHER PRODUCTS OR SERVICES
ARE TRADEMARKS OF THEIR RESPECTIVE OWNERS. White Paper / Achieving Least Privilege in AWS / 110223