1. The principle of least privilege
Let's dive into one of the core tenets of cloud security: the principle of least privilege.
2. What is the principle of least privilege?
Let's begin with an example. Jen works in accounting and is authorized to modify balance sheet data. Joe from finance, however, does not need to edit this data. His permissions are set to only read balance sheet entries.
In short, the principle is about granting users and systems the narrowest set of privileges to complete required tasks. If a user does not need to modify data, do not grant them the modify privilege!
3. Balancing the goal
Implementing the principle of least privilege in real life is a balancing act. You want to prevent dangerous actions, unaccountable teams, and expensive resources. However, businesses also want ability to innovate, move quickly, and provide freedom for builders. Approvals for every permission may not be desirable.
4. Strategies for least privilege
There are five steps to implementing least privilege.
First, use course-grained security to grant the most common security controls at the highest level. For example, block public access to networks and storage at the Organization level.
Then, use fine-grained controls to solve specific access questions. For example, limit which group of users can login to production servers.
Next, using accounts as boundaries provides structure for security administration.
Fourth, prioritize short term credentials. AWS Security Token Service enables you to request temporary, limited-privilege credentials for users.
Finally, enforce broad invariants. Invariants are items that do not vary or change. For example, a company in Belgium with its entire business operations in Europe will not need to use servers in Latin America.
5. Account security framework
How can you implement this in AWS?
When you setup a new AWS account, you want to focus on following aspects of security. Root user is the first user which signs up for AWS account and has administrator privileges and its security is important. After that you want to grant least necessary privileges to users, groups, and computing resources. Finally, have a process for secure credentials sharing.
6. Root user security
Remember, root access is powerful. Keep it safe!
Secure your AWS root account with a strong password and multi-factor authentication. Avoid creating access keys for the root user. Use a group email and multi-person approval for added protection.
7. User and group security
To secure users, enable MFA for all IAM users. For consistency in permissions use user groups and apply the principle of least privilege. You should also rotate passwords and access keys regularly to minimize risk.
8. Resource security
Computing resources such as virtual machines execute code and need to be secured. Virtual machine permissions can be managed using IAM roles while Systems Manager can help with configuration, patch management and automation of operational tasks.
9. Credential security
Once you have developed a solid security foundation, you need to keep those credentials secure.
AWS Secrets Manager securely manages your database credentials and API keys. It automatically rotates secrets to keep them safe. You can also encrypt sensitive data easily. Plus, it integrates seamlessly with other AWS services for added convenience and security.
10. Let's practice!
Let's practice with some exercises!