IAM Pulse Check #8 - Whodini
IAM is a lot like Whodunnit or Whocandoit - but don't forget the WhyRead Issue on Revue
If you ask 100 people what the ultimate Halloween song is, I bet 99 would say Thriller. I’m that one hip hop nerd who’d say Freaks Come Out At Night.As I do every year at this time, I combed through my boxes of hip hop records that don’t get much play anymore to grab that classic Whodini LP. What’s different about this year is the mental association. IAM is a lot like Whodunnit or Whocandoit. That’s right – the puns don’t stop like the party don’t stop!
As mentioned during last week’s newsletter, a lot of what makes IAM complex is the surrounding nuance and the multiple dimensions. Every individual request is deterministic, so once you have all the inputs and understand the evaluation logic, the results are always predictable.
Where it’s easy to get tripped up is in the framing once you zoom out from a request to an environment. As-in, given a resource, who can access and under what conditions? Or given a role, what can it do and who can assume it? This becomes less deterministic and more of an exercise in painstaking enumeration.
Digging into the dimensions behind the Who and the What has been insightful for our team, but where the real fun comes into play is when you get to the Why. That’s when you start to get to the heart of least privilege. Because without the Why, it wouldn’t matter that much what the right size is.
There can be different perspectives to the Why, which is a key reason that IAM is as much of a people challenge as it is a technical challenge. The Why for a developer could be, “my Lambda function needs to write to that S3 bucket, connect to that RDS instance, and pull from that SQS queue.” The Why for Security could be, “that data is tagged for PCI compliance, you can’t grant access for that service account.”
Navigating these conflicting perspectives can be hard, but the more understanding of the Why helps bring alignment where it’s needed.
IAM checking these out...
There are pros and cons to the fact that AWS makes accounts and account owners publicly accessible data via API. The cons are that an attacker can infer a good amount of information from an account ID alone. This project is meant as an exploit tool that scans accounts, traversing for identities and services to gain an understanding of an account’s footprint.
The CI/CD pipeline threat model is an important and often overlooked one. Here is some solid research on the topic, including an actionable threat matrix. There’s a few areas relevant to IAM in terms of credential management and role assignments.
Kinnaird McQuaide’s CloudSplaining project is helpful in determining which IAM permissions violate least privilege. It can detect things like missing resource constraints, possible privilege escalation paths, and more. This tool from Tenchi Security runs CloudSplaining against all AWS Managed Policies. Helpful resource, and a good reminder to not trust the defaults, always right size policies for your environment.
IAM reading from the community...
As a security domain, IAM is as far reaching as anything else. It’s surprising that it doesn’t get the attention it deserves, a key reason for us starting up this community. Here’s a great article contributed by one of our members, Kevin Eberman, looking at the whole domain from the IT Manager perspective. Some great thoughts in here, and worthwhile of such declaration.
AWS gets most of the attention in our world, for its reach, depth, and complexity. Lest we forget, every cloud provider has their own IAM beast to tame. This article from Guillame Blaquiere of Accenture points out 2 use cases where the GCP model is limited. Always good to understand the tradeoffs working across providers.
IAM listening to this...
This week’s selection shouldn’t be new to anyone (I hope). 80s hip hop group Whodini had a few classic jams on this 1984 release, most notably Friends. My Halloween favorite is, of course, Freaks Come Out At Night. Throw in Five Minutes of Funk and We Are Whodini, and you got yourself a stone cold b-boy classic! I love reminders of my old DJ days, even if it makes me feel old :D
Get the IAM Pulse Check Newsletter
We send out a periodic newsletter full of tips & tricks, contributions from the community, commentary on the industry, relevant social posts, and more.
Checkout past issues for a sampling of the goods.