Introduction
Best practices for securing an AWS environment have been well-documented and generally accepted, such as AWS’s guidance. However, organizations may still find it challenging on how to begin applying this guidance to their specific environments.
- Which controls should be applied out-of-the-box vs. customized?
- What pitfalls exist in implementing the various controls or checks?
- How do you prioritize remediation of the “sea of red” violations?
In this blog series, we’ll analyze anonymized data from Netskope customers that include security settings of 650,000 entities from 1,143 AWS accounts across several hundred organizations. We’ll look at the configuration from the perspective of the best practices, see what’s commonly occurring in the real world, and:
- Discuss specific risk areas that should be prioritized
- Identify underlying root causes and potential pitfalls
- Focus on practical guidance for applying the Benchmark to your specific environment
This blog post focuses on IAM security controls related to IAM Policies. Based on the Netskope dataset analyzed, we will highlight four opportunities to improve security by making simple IAM changes:
- IAM Policies are over-privileged with 4% of the policies in use having full administrative privileges and more than 60% of these using the AWS AdministratorAccess role, which increases the potential impact from compromised credentials and increases the assets at risk.
- 1,401 (11.2%) of 12,478 IAM Users have inline policies, which leads to errors in policies because they are difficult to manage and maintain in a consistent manner.
- 5,886 (47%) of IAM Users have policies directly attached to the user, which also are difficult to manage and maintain.
- 769 (67.3%) accounts do not have the AWSSupportAccess policy attached to a role or user for incident response, which could slow down response if an incident occurs.
IAM Policy: overall, over-privileged, all over
“Power corrupts. Absolute power is kind of neat.”
— John F. Lehman, Jr.
The following five best practices related to IAM Policy were analyzed in this dataset, which contained 35,950 IAM Policies across all accounts:
# | Best Practice | # Violations | % |
---|---|---|---|
1 | Ensure IAM policies that allow full "*:*" administrative privileges are not attached | 1,411 | 4.2 |
2 |