AWS is Under Threat from Unused Privileges

09/05/2022 • Gabriel Avner

Amazon Web Services (AWS) provides the backbone infrastructure for many organizations, making it a vital resource that needs to be protected. Sprawling across a wide range of apps and services, AWS is home to large swathes of an organization’s data and operations.

One of the primary concerns among organizations is that an attacker can breach their AWS environment, gaining access to production environments or other crown jewel sensitive areas.

If the attacker can make malicious changes to the code in production, then they can impact not only that victim, but potentially any upstream clients that are using the software.

While the compromising of any account with access to AWS is dangerous, privileged accounts like admins need additional protection, because they have higher and/or wider access privileges that can cause more harm than a lesser privileged account.

Active admins

Admin privileges, like all access privileges, should be provisioned on a “must-have to do your job” basis in accordance with the Principle of Least Privilege.

Organizations are Challenged by Privilege Creep

Unfortunately, in most organizations, admin privileges are provisioned far more widely than are actually needed. Often, these privileges are provisioned and then not used. In many cases, they are used once and then the users will hold on to them, claiming that they need them for future use.

The result is a widely exposed attack surface that offers attackers more opportunities to compromise a privileged account while providing little value to the organization in terms of effectiveness for their team. An attacker that gains control of an admin account can widen their blast radius, potentially causing harm to the organization.

The challenge organizations face is they lack visibility over access privilege usage to know which ones are in use and which ones they can revoke.  

Authomize Detects and Understands Access Privileges to Achieve Least Privilege

Authomize integrates with organizations’ AWS to detect and understand who has access to what and how those access privileges are being used. 

By tracking access activity, Authomize understands which privileges are active and can recommend which ones can be revoked to achieve Least Privilege.   

Authomize’s Research AWS Admin Privileges are Mostly Inactive, Widening Attack Surface

In hopes of gaining a fuller picture of the challenge, Authomize’s research team examined AWS admin usage from a number of our customers.

Admin privileges, like all access privileges, should be provisioned on a “must-have to do your job” basis in accordance with the Principle of Least Privilege. 

Organizations are Challenged by Privilege Creep

Unfortunately, in most organizations, admin privileges are provisioned far more widely than are actually needed. Often, these privileges are provisioned and then not used. In many cases, they are used once and then the users will hold on to them, claiming that they need them for future use.

The result is a widely exposed attack surface that offers attackers more opportunities to compromise a privileged account while providing little value to the organization in terms of effectiveness for their team. An attacker that gains control of an admin account can widen their blast radius, potentially causing harm to the organization.

The challenge organizations face is they lack visibility over access privilege usage to know which ones are in use and which ones they can revoke.  

Authomize Detects and Understands Access Privileges to Achieve Least Privilege

Authomize integrates with organizations’ AWS to detect and understand who has access to what and how those access privileges are being used. 

By tracking access activity, Authomize understands which privileges are active and can recommend which ones can be revoked to achieve Least Privilege.   

Authomize’s Research AWS Admin Privileges are Mostly Inactive, Widening Attack Surface

In hopes of gaining a fuller picture of the challenge, Authomize’s research team examined AWS admin usage from a number of our customers. 

We see here a few examples of organizations with a significant number of active admins, such as the first line where there were 107 admins, out of a total 109 AWS users. That is a high number of admins in comparison to users, but 96 of them are active so most of these privileges are probably justifiable.

But, not every organization holds themselves to these standards.  

Take for instance the last line where we see an organization of 152 AWS users. Of that number, 151 are admins, but only 26 are active. That is only 17%. What this means is that whoever provisioned admin privileges here gave nearly everyone admin rights without confirming that they truly needed them. Moreover, we see that 83% of admin privileges could be revoked, reducing their exposure.

Similar examples can be found here throughout the data.

Role Usage as a Threat for Exposure

In AWS, best practices call for granting privileges to roles via groups, and not directly to specific users. The users can then make use of those privileges by assuming the roles that they are permitted to assume. 

If followed, this practice can help an organization avoid a lot of risk. However, the Principle of Least Privilege still applies here when it comes to making sure that only those who need the privileges from those roles can use them.

Again, we look at our data to see how organizations are managing their privileges.

How organizations are managing their privileges

And there is room for improvement.

In our top line we see our most active organization with a usage rate of ~37% — the leader by a mile.

All of these organizations would be well-served to clean up their roles to closer meet the reality of their usage.

Achieving Visibility, Reducing Privileges, and Reducing Risk

Authomize’s visibility over AWS identities (federated and unfederated), assets, access privileges, and of course access privilege usage allows us to know who has access to what, what kind of access they have, and how that access is being used. 

Our visibility extends beyond AWS, incorporating a wide range of IaaS and SaaS applications and services including GitHub, Salesforce, O365, Google, and more.

All of this mapping and understanding provides our customers with context for making smarter, data-driven decisions that make them more secure.

For more information on Authomize’s research and our approach to tackling the challenges of access privileges in the cloud environments, please contact us.

Next read

Download
Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations

Download