.svg)
Executive Summary
NoqMeter is a new service to help DevSecOps answer essential questions about their Cloud IAM configuration, such as:
- Who has excess access to AWS?
- Who has administrator-level access? Do they need it all the time?
- How much time is wasted resolving access denied errors?
- Who is performing sensitive actions from outside of my network?
If your organization could benefit from a cost/benefit analysis of your Cloud IAM configuration, contact us for insight into your IAMOps.
Least-privilege with less-effort – less than what?
Noq’s goal for IAMOps is “operating Cloud IAM at Least Privilege, with less effort” – which prompts the question: “Less than what?” Are there too many privileges? Too few? Does it slow down development?
Those are judgment calls that have to be fueled by facts: How many permissions does a user usually use? Which permissions are actually appropriate for an application? How fast are fixes to turn an accidental DENY into an accurate ALLOW? How much time do developers waste waiting for approval workflows required by compliance mandates?
To demonstrate the value of our vision, Noq developed indicators about the impact of IAMOps. This research resulted in NoqMeter, a new framework for inventorying IAM, ingesting logs, and indexing signals for scoring security risks and accounting for the burdens of ad hoc administration.
Measuring what matters
In the beginning was the Wildcard: *. That star granted every permission a developer might ever need to go forth and hack. Lo, and behold: developers ascended into the very Clouds, with nary an access denied! Oh, where once divine Developers were Most-Privileged and ran at Maximum Velocity… until the shadow of Audits fell across all accounts as the darkening Lords of Least Privilege clipped their angels’ wings.
Thence came IAM, with all its toil and troubles. Where once only Owners, Administrators, and Viewers strode like giants, now there arose 13,590 permissions, each different, spawning such combinations that the universe of potential security policies exploded by 164 digits since AWS re:Invent last week!
In our fallen world, leaving latent permissions available is hardly harmless. Once credentials are compromised, there are too many direct and indirect pathways to abuse unused permissions to escalate access.
So how can Dev, Sec, and Ops teams sharing responsibility for Cloud IAM take back control? NoqMeter began as a tool to investigate the two types of experimental errors when configuring controls correctly: false positives and false negatives, or over-privilege and under-privilege.
Over-privileged: Granted, but should have been denied
One does not simply subtract the set of permissions used from the set of their permissions granted to start revoking them. The devil, as ever, hides in the details of that deceptively easy equation, confounding calculations of which permissions belong in which sets for each account and each user.
First, statistics about usage are not unified. AWS CloudTrail only captures administrative actions taken on the “control plane,” the 10-15% of permissions that create, delete, or reconfigure Cloud resources. Only a few AWS services collect logs covering their own “data plane,” such as S3 object access logging. AWS Access Advisor only reports entire services that have gone unused for over 90 days. Other evidence is only circumstantial, like chasing chains of AssumeRole invocations or service-linked roles; or when services embed their own custom access control languages, like sqs:AddPermission.
Second, entitlements aren’t always evident, either. Each of the seven stages of policy evaluation logic in AWS IAM can contradict each other – even before digging into multiple authentication options and context-specific conditions. Not to mention dependencies on managed policies that can mutate anytime, at the behest of Amazon or other administrators.
Noq designed a data warehouse around all these contingencies to correlate all available information from an AWS environment. With better usage and entitlement data, NoqMeter can accurately assess how closely applications are approaching the lower-bounds of Least Privilege.
Under-privileged: Denied, but should have been granted
When an attacker probes for weaknesses, an Access Denied error is exactly what’s expected. When a user accidentally attempts to cross a guardrail intended to isolate sensitive systems, that’s also a true negative. However, when debugging Devs start sending Slack messages to on-call Ops and seek Sec approvals to change roles, policies, users, groups, resources, tags, or other configurations until what was prohibited is now permitted… well, that’s a sure sign of a false negative.
Under-privilege incidents are how NoqMeter defines “effort”: the time it takes to restore service after an IAM “outage.” Applying automated reasoning to reconstruct sequences of edits affecting IAM in the data warehouse estimates the time it took from the first error until the final fix. That quantifies how much of a drag on developer velocity it can be to operate too close to the limits of Least Privilege.
Managing with metrics
In the Wild-card West, a new Sheriff in town might lay down the law by yanking all that excess access. That’s also a mistake, since code keeps changing, developers keep developing, and APIs keep adding actions. Petitioning Security every time a process hangs on a prohibited permission gets old, fast. How can NoqMeter tame the frontier of trade-offs between stricter security and speedier software engineering? By making it easier to borrow what was taken away.
For example, finding inactive access keys floating around frustrates security staff… but not as much as being blamed for blocking a customer from uploading their annual renewal because their “unused” credentials got canceled. Instead of passive reports and notices, NoqMeter recommendations are easier to take action on because they plug into the Noq Platform as self-service IAMOps workflows.
Even if best practices have to be bent to let developers mint new keys in the future, they will at least be documented, justified, auditable, restricted to a user, and expire automatically. Similarly, taking away unused FullAdmin rights from Finance forever seems easier to swallow if anyone on that team can borrow BillingReviewer with a click, just-in time, when they need it once a quarter, and for only four hours at a time.
Insights that inspire innovation
Report cards crammed with criticism can’t change culture — not nearly as effectively as empowering individuals with information that they can take action with. Almost all the teams we talk to recognize how far they are from operating at Least Privilege, despite their best efforts. At the same time, few had facts and figures at their fingertips to set measurable goals. A data-driven research program with Noq’s design partners led to the development of NoqMeter, a new analytical framework and measurement tool for scoring security risks of AWS Cloud IAM usage. DevSecOps teams can increase their productivity using NoqMeter findings to eliminate excess privileges and automate IAMOps for just-in-time temporary access on the Noq Platform instead.
If your organization would be interested in a custom and confidential NoqMeter assessment, please contact us for a demo and a sample report. The year-end lull in production changes can be a great time to set up New Year’s Resolutions for a successful AWS IAM permission diet!
.svg)
.svg)
.webp)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg){kind=small}
.svg)
.svg)
.svg)
.svg)