Amazon Web Services (AWS) provides the backbone infrastructure for many organizations, making it a vital resource that needs to be protected. Sprawling across a wide range of apps and services, AWS is home to large swathes of an organization’s data and operations.
One of the primary concerns among organizations is that an attacker can breach their AWS environment, gaining access to production environments or other crown jewel sensitive areas.
If the attacker can make malicious changes to the code in production, then they can impact not only that victim, but potentially any upstream clients that are using the software.
While the compromising of any account with access to AWS is dangerous, privileged roles accounts like admins need additional protection because they have higher and/or wider access privileges that can cause more harm than a lesser privileged account.
Organizations are Challenged by Privilege Creep
Unfortunately, in most organizations, admin privileges and access to privileged roles are provisioned far more widely than are actually needed. Often, these privileges are provisioned and then not used or maybe used just once for a specific purpose. In many cases, they are used once and then the users will hold on to them, claiming that they need them for future use.
This leads to privilege creep throughout the organization, leaving many many access privileges active but unused. Leaving them exposed to potential abuse. We can clearly see this risk in the numbers from our own research.
We have found that the average organization with 1-10k employees uses less than 10% of their privileged access.
According to our findings, the percentage of active access falls between 0.13% to 9.44%, highlighting the fact that organizations have a massive attack surface that is excessive beyond any operational requirement and exposes them to unnecessary risk. These findings show the critical need for organizations to gain real visibility over their privileged access and take action to resize their access privileges to prevent breaches.
The result is a widely exposed attack surface that offers attackers more opportunities to compromise a privileged account while providing little value to the organization in terms of effectiveness for their team. An attacker that gains control of an admin account can widen their blast radius, potentially causing harm to the organization.
Authomize’s Research AWS Admin Privileges are Mostly Inactive, Widening Attack Surface
In hopes of gaining a fuller picture of the challenge, Authomize’s research team examined AWS admin usage from a number of our customers.
Admin privileges, like all access privileges, should be provisioned on a “must-have to do your job” basis in accordance with the Principle of Least Privilege.
The challenge organizations face is they lack visibility over access privilege usage to know which ones are in use and which ones they can revoke.
Authomize Detects and Understands Access Privileges to Achieve Least Privilege
Authomize integrates with organizations’ AWS to detect and understand who has access to what and how those access privileges are being used.
By tracking access activity, Authomize understands which privileges are active and can recommend which ones can be revoked to achieve Least Privilege.
Achieving Visibility, Reducing Privileges, and Reducing Risk
Authomize’s visibility over AWS identities (federated and unfederated), assets, access privileges, and of course access privilege usage allows us to know who has access to what, what kind of access they have, and how that access is being used.
Our visibility extends beyond AWS, incorporating a wide range of IaaS and SaaS applications and services including GitHub, Salesforce, O365, Google, and more.
All of this mapping and understanding provides our customers with context for making smarter, data-driven decisions that make them more secure.
For more information on Authomize’s research and our approach to tackling the challenges of access privileges in the cloud environments, please contact us.
