Three Trends with AWS IAM
There have been a dozen IAM-related announcements in the AWS What’s New Feed over the same number of months. As I read through the list, three trends emerge that provide insight into AWS’ focus in the IAM world: (1) simplifying access management, (2) expanding the capabilites of AWS Organizations and (3) automating policy generation. In this article I discuss the last year of AWS IAM feature announcements and how they related to these trends.
Better Security Through Simplification
S3 breaches are all too common and root cause analysis leads many to blame the sheer complexity of S3 permissions. Many readers had not yet started their tech career when S3 - AWS’ first offering - was launched in March of 2006. George Bush was president, Gold Digger was on it’s 30th week on the Billboard Hot 100 and bucket policies were still four years from GA. IAM itself wasn’t released until five years after AWS’ birthday. In the early days, the primary way to manage S3 access was via access control lists (ACLs). But today, after bucket policies and IAM have been layered on, ACLs are considered a legacy feature and usually just add confusion.
Fast forward to November 2021 when a new Ownership setting that removes ACLs is introduced allowing S3 administrators to essentially “turn off” ACLs and manage S3 access using only polices. Technically this feature is simplifying S3 access management and not IAM itself but it represents an important trend of improving security by making things simpler.
Another enhancement from November 2021 is the ability to create a default IAM role straight from a Redshift cluster which provides convenience and secure defaults when setting up Redshift. And in March of this year, AWS announced IAM support for the recent WebAuthn standard which will help add extra security and convenience for end users with FIDO2 compatible browsers.
Expanding AWS Organizations
AWS Organizations were made generally available in 2017 and, in the following few years, became the foundation for security-related best practices recommended by AWS. The launch of AWS Organizations precipitated updates and extensions to the AWS Well-Architected Framework along with several blog posts (including this three part series) helping customers leverage Organizations to manage security and governance. Organizations are so important to AWS’ security strategy that at the security keynote for re:Inforce 2020, the #1 recommendation for customers to secure their environment was to use AWS Organizations.
In 2018 AWS announced support for the
AWS:PrincipalOrgID condition key which allows you to use the Organization Id of the AWS principal when defining IAM policies. In March of this year AWS built on this feature by announcing that the
aws:PrincipalOrgID condition key can be used in Lambda function resource-based policies.
But the big announcement related to Organizations this past year came in April 2022 with the introduction three new Organization-based condition keys:
aws:ResourceAccount. This announcement was significant enough to come with its own round of updated best practices, blog posts, videos, updated documentation and tweets:
Three of the twelve IAM-related announcements over the past year were for features that enhance Access Analyzer’s ability to generate policies derived from CloudTrail logs. These new capabilities represent an important trend from AWS which I’ve also noticed in the open source and startup communities: using access logs to inform least privilege policies. Access Analyzer’s capability to generate policies was announced in April of 2021 and, as is the pattern with many new AWS features, the first version was limited but enhancements quickly followed. A few months after launch, the number of supported services was increased and another few months after that, the number of policies that could be generated per day was increased to 50.
Generating least privilege policies in an automated, data-driven way is important in Zero Trust environments where principals are granted the minimum permissions required to perform the task at hand. These enhancements are particularly useful for larger engineering teams adopting Zero Trust principles.
The third Access Analyzer announcement came in August of 2021 when the ability to generate policies based on activity across an Organization was added. This release offers evidence for two of our three trends: policy generation and expanding Organizations.
There is a difficult dance between adding capabilities to IAM and making existing capabilities easier to manage. Least privilege requires you to get specific about which principals, actions and resources are (and are not) allowed. This can quickly become complex.
Consider that both are common causes of breaches: over provisioned credentials and misconfiguration due to human error. If your approach is too simple, course-grained privileges can expand blast radii. Too complex, and you increase the chance of vulnerabilities due to oversight. With this lens, you may view Organization-based condition keys as adding complexity to IAM policies. However, as the use cases enabled by Organization-based condition keys become apparent, you may notice they lend themselves to simplicity by providing a boundary that is easier to reason about. When AWS Organizations were introduced, they provided a way to organize AWS Accounts along security domains. In a similar way, the 2022 enhancements to AWS Organizations provide a powerful way to define a security perimeter using policies.
Automated policy generation is another tool to help simplify access management by using ground truth data to define permissions. It helps take the guesswork out of designing least privilege policies which makes policy design easier and more accurate. In different ways, all three of these trends lead to a simpler experience for administrators which ultimately helps AWS customers be more secure.
Access Management with Sym
Access decisions are necessarily more frequent when trying to maintain least privilege. Sym provides the ability to automate access change management with code. Engineers can assemble highly-secure access workflows using building blocks provided by our Python SDK including: Slack-based approval prompts, access expiration, on call status, Okta group membership status, GitHub repo collaborator status and much more.
It’s quick, easy and free to try us out.