IAM Pulse Check Newsletter

IAM Pulse Check #22 - fwd:cloudsec lookback

Showcasing select sessions from fwd:cloudsec 2022

Aug 12, 2022


Hey folks,

One industry conference stands out above the rest – so much so that even though we're pre-product, we must be sponsors. That's right, I'm talking about the epic fwd:cloudsec held a couple of weeks ago in Boston. I couldn't attend in person, but thankfully, the organizers posted the session playlist on YouTube for all to watch.

Like last week's newsletter showcasing my top 3 sessions from AWS re:Inforce, this issue will showcase my favorite sessions from fwd:cloudsec – which has to be a top 5.

As a highly technical event meant for expert practitioners, the sessions are deep, but welcoming. Everyone knows the space is extremely challenging, but the content themes explored areas of creative technical, math, and design thinking – highly relevant to our efforts here at IAM Pulse.

Hopefully next time I can finally make it in person!


Ivan at IAM Pulse

From fwd:cloudsec 2022

Stop Guessing and Start Proving: Demystifying AWS Zelkova

This was the session I was most anticipating, and I was not let down one bit. Zelkova is an internal research project within AWS to mathematically verify the outcomes of IAM policies. It’s an advanced topic, but Kaushik Devireddy, a student at UCLA, did an excellent job breaking it down.

The short of it is that Zelkova turns policies into a series of logical AND/OR models, then uses SMT solvers to calculate truths. The intent is to verify that policies evaluate as intended, which you may have seen in practice if you leverage Access Analyzer. It’s no silver bullet, though. What’s missing are the two things that I constantly harp on - context and intent. Very hard to factor in, which is key to what we’re building!

Dismantling the Beast: Formally Proving Access at Scale in AWS

In a very similar vein as the prior session, Nick Jones and Mohit Gupta from WithSecure debut a new open source tool they’ve been working on called IAMSpy that uses SMT solvers to simulate policies.

Their goal with this session and their respective open source work is similar to ours – help reason with the complexities of IAM. Of course, this is a hard challenge to take on, and best to take it in stride. Excited to give their tool a spin, and hopefully we can compare some notes!

The True Power of AWS Tags

This was a fun session from Yoav Yanilov and Itamar Bareket, talking about the benefits and pitfalls of ABAC using tags.

Their example demo was impressive – using conditions in SCPs, they implemented a 2-person approval workflow for select actions. Effectively they dynamically set tags using a ticket-like workflow that unlocks select actions. Very cool!

Abusing the Replicator: Silently Exfiltrating Data with the AWS S3 Replication Service

I really enjoyed this session from Kat Traxler, Principal Security Researcher at Vector AI. She shared a clever discovery – in short, the S3 Replication service often used for backups can be exploited. Thankfully, the controls are obvious once you know about it, but knowing about it is more than half the battle!

A key takeaway from this session, as the above image implies, is how difficult it is to reason with permissions when so many cloud actions are performed “on behalf of” someone and/or something. A prime example is IAM Roles – what we gain from a security perspective is short-term credentials, but what we need to be mindful of is mapping transitive access.

Achieving AWS IAM zen in a Google Cloud world

While AWS dominates the topics (and collective knowledge), it’s always good to step into another cloud provider mode. Caleb Tennis from Sequoia Capital shares his learnings in GCP coming from an AWS expert frame of mind.

He walked through a lot of good comparison examples – one big takeaway is that GCPs version of service impersonation similar to IAM Role assumption is not widely used by vendors for their integrations. *note to self – think about workload identity federation when you start working on GCP.

Enjoy this Issue? Subscribe to Get it in Your Email.

See All Past Issues ->

Join the beta waitlist

Enter your email to get notified when our product becomes available to try.

Sign Up for the community

Create your member profile to get involved with our content, programs, and events.