AWS and Cloudanix team co-authored this blog: Real-Time Threat and Anomaly Detection for Workloads on AWS

Cloudanix – Your Partner in Cloud Security Excellence

The Science of Setting Up Security Boundaries

  • Abhiram Shindikar Abhiram Shindikar

  • Wednesday, Nov 13, 2024

Setting Permission Boundaries is considered one of the critical components of cloud security. It involves defining the maximum permissions that users or groups can have within a cloud environment. This helps prevent unauthorized access and reduces the risk of data breaches. Permissions boundaries are set at different levels, such as for individual users, groups, or roles.

In today’s blog let us dive deeper and understand the process of setting AWS permissions in a large cloud environment and building strong security foundations.

What is a Security Boundary?

Security Boundary refers to the perimeter or barrier that separates a trusted network or system from an untrusted environment. The term “perimeter” is often used interchangeably with “boundary.”.

In the context of cloud computing, the security boundary can be both physical and logical. Physical boundaries include network firewalls and physical access controls, while logical boundaries encompass security policies, access controls, and encryption mechanisms.

The security boundary in a cloud environment defines the maximum permissible permissions for users or resources. It’s a logical separation that can be set at the network level or IAM level.

  • Network boundaries: These define the network segments or zones within a cloud environment.
  • IAM boundaries: These restrict the permissions granted to users or groups within the cloud environment.

Permissions boundary in a nutshell

Permissions boundary in a nutshell Credit: Kushagra Sharma

Differentiating security boundaries and security baselines

It has been observed that people often confuse security boundaries with security baselines. When we asked Kushagra (in our Scale To Zero podcast) to shed some light on the topic and educate us on the minute differences, Kushagra made it easy and consumable for all of us! Below are the key differences.

  • Scope: Boundaries focus on the maximum limits, while baselines establish the minimum requirements.
  • Relationship: Baselines are generally broader in scope, encompassing various security controls, while boundaries are often more specific to particular aspects of the environment (e.g., network, IAM).
  • Intersection: Security boundaries can be considered a subset of security baselines, as they contribute to establishing the overall security posture.

Setting up the basics - Challenges with IAM management

All of us must have heard security leaders speaking out loud at least once in a meeting, “When it comes to the security of large cloud environments, the game often boils down to identities.”. The old-aged debate between IAM and cloud security never ends! When it comes to large cloud environments and IAM, here are a few challenges with IAM management;

  • Myriad compliance requirements: The complexities of adhering to numerous compliance standards and regulations.
  • Evaluating effective permissions gets complicated for cloud developers: Developers are not security practitioners and thus are not aware of implementing required and best security practices.
  • Difficulty keeping up with new cloud services: Major cloud providers like AWS, Azure, or GCP continuously update their systems.
  • Security teams end up operationalizing. They often are bogged down in day-to-day tasks, limiting their ability to focus on strategic initiatives.
  • You often hear “security creates friction”: Security measures can sometimes hinder business agility and innovation if other business units are not collaborating effectively.

Is a one-size-fits-all permissions boundary possible?

Building a one-size-fits-all permissions boundary that addresses AWS account-level exceptions, Allowing only “vetted” AWS services deployments, regulatory requirements, a growing number of AWS accounts, etc can be cumbersome.

Booking.com came with a unique approach for permissions boundary added Kushagra. He shares 4 real-time steps of their “Flavoured approach to permissions boundary” method. The steps are as follows;

  1. One dynamic boundary includes global defaults that are defined by security teams.
  2. Allow exceptions to the boundary on per account level.
  3. Enable developers to contribute to the boundary moving towards a self-service IAM model.
  4. For environments falling under the regulatory scope, it is recommended to have a “new flavor” of the boundaries.

To implement the permission boundaries using Terraform, you can also define a hash map to specify expectations for Regions, IAM Actions, and allow AMI owner IDs for deploying vendor tooling.

Basically, a layered approach to security baselines, combining a global baseline with environment-specific permission boundaries. This allows for flexibility and scalability while maintaining consistency across different accounts. A standardized template or boilerplate can be used to dynamically generate permission boundaries based on specific context, ensuring a consistent and efficient approach. This approach helps avoid the complexity and maintenance challenges associated with having multiple siloed baselines

Leveraging Threat Intelligence for building a strong security foundation

Organizations should understand that defining and maintaining security baselines is not a set-and-forget practice. Especially in the cloud environments and large organizations, where new services and features are constantly being produced. Below are the key points to cater to the importance of leveraging threat intelligence to inform and refine the baselines:

  • Integrating threat intelligence: Threat detection and response teams provide valuable insights into real-world threats and vulnerabilities.
  • Baseline refinement: By analyzing threat intelligence, security teams can identify and address potential risks, leading to continuous improvement of the baseline.
  • Constant monitoring: Security teams need to stay updated on new AWS services, existing service features, and IAM namespace changes.
  • Multiple Sources: Threat intelligence can come from various sources, including public announcements, blogs, podcasts, and internal security teams.

The above key points highlight the critical role of threat intelligence in ensuring that security baselines remain effective and relevant in a dynamic cloud environment.

Effective strategies for defining strong permissions boundaries

When it comes to defining permissions, the very first thing that comes to mind is Identities. However, in the case of testing a new service, a developer might have to undergo all the security checks, which can be a cumbersome process. That’s where the flavored permissions boundary - which we have explained earlier in the blog, comes in.

Organizations should also consider designing Service Control Policies (SCPs) that can be applied to all IAM entities within a specific AWS account or organizational unit (OU). They are designed for non-negotiable controls. To move things a little faster, we also recommend automating the process of creating and modifying permission boundaries using IaC. This streamlines the workflow and reduces the risk of human error.

The benefits of following such an approach are;

  • Enhanced Security: By using both permission boundaries and SCPs, organizations can establish a robust security posture while maintaining flexibility.
  • Improved Efficiency: The use of automation and dynamic permission boundaries can streamline workflows and reduce the time required for security approvals.
  • Empowered Developers: Developers can experiment and innovate without compromising security, leading to increased productivity and agility.

Defining permission boundaries when migrating from legacy systems to the cloud

Migrating from legacy systems to cloud environments keeping security in mind remains a challenge for almost every organization. Experts recommend starting with defining relaxed permission boundaries during migration and gradually tightening them as your environment stabilizes. There are a few other areas that organizations should prioritize, let us take a look at them;

  • Leverage Flavored Permission Boundaries: Use different types of permission boundaries to cater to various environments, including legacy systems, regulatory requirements, and specific use cases.
  • Refactor and Optimize: Re-evaluate the existing environment to identify opportunities for optimization and leverage cloud-native features.
  • Centralized Deployment: Ensure a centralized mechanism for deploying and managing permissions across multiple accounts to facilitate efficient migration and ongoing management.

Along with the above-mentioned methods, stick to the basics and remember to conduct risk assessments, data classification, continuous monitoring, and training. Here’s what your overall strategy for migrating from legacy systems to the cloud should look like;

  • Assess the Legacy Environment: Understand the current security posture, data sensitivity, and compliance requirements.
  • Define Permission Boundaries: Create appropriate permission boundaries based on the identified needs and risks.
  • Migrate Gradually: Implement a phased approach to migration, starting with less sensitive data and gradually increasing the scope.
  • Refine and Optimize: Continuously review and refine permission boundaries as the migration progresses and the environment evolves.
  • Implement Monitoring and Auditing: Establish robust monitoring and auditing processes to detect and respond to security threats.
  • Provide Training and Awareness: Educate employees about security best practices and the importance of following established policies.

What if a specific cloud provider feature does not align with your defined security baselines?

For the sake of clarity and understanding, let us assume that AWS rolls out a new feature that does not align with your security baselines. It is not recommended to follow an approach where you deny a specific set of services and allow the rest. Why? Because this approach allows every other service without undergoing your security review cycle.

What experts recommend is to follow a “Safelisting” approach to manage your production environment’s security. To make it more simple, create a whitelist of all the approved cloud services and features. And only allow those that are explicitly on this list to be used within the organization’s cloud environment.

What are the benefits of safelisting?

  • Controlled Environment: By limiting the services used, organizations can better manage the risks associated with their cloud infrastructure, especially referring to the production cloud environment.
  • Proactive Security: It allows for proactive threat handling as only approved services are deployed, reducing the potential for unauthorized or risky activities.
  • Baseline Alignment: Safelisting can help ensure that the organization’s security baseline is aligned with the services in use.

Guidelines for implementation and maintenance

  • Create the List: The first step is to carefully identify and compile a list of cloud services or features that are deemed necessary and secure for the organization’s operations.
  • Regular Review: The list should be regularly reviewed and updated to account for new services, changes in existing services, and evolving security threats.
  • Threat Handling: For each approved service, organizations should implement appropriate security controls and threat-handling mechanisms.
  • Continuous Testing: Regular testing of security controls is crucial to ensure their effectiveness, provided that you don’t miss to identify any vulnerabilities.

While safelisting provides a structured approach, it can sometimes limit flexibility. Thus, organizations need to balance security with operational needs. As new cloud services and features are constantly introduced, the safelisting process needs to be agile to accommodate them without compromising security.

Where the “safelisting” approach can be proved as a valuable strategy that provides numerous benefits. It is essential to strike a balance between security and operational needs and to continuously review and update the safelisting process to adapt to the evolving cloud landscape.

Conclusion

Setting up effective security boundaries is crucial for safeguarding cloud environments, especially in large organizations with complex infrastructures. By understanding the nuances of permission boundaries, leveraging threat intelligence, and implementing best practices, organizations can establish a robust security posture that protects sensitive data and mitigates risks.

Similar Resources

People Also Read

What Our Users Are Saying

Customer Reviews

Cloudanix is trusted by security leaders worldwide to deliver proactive, reliable, and cutting-edge cloud security.

One day, I changed the password of a root account, and my CTO called me within less than a minute to confirm if I did so. I was not expecting a reaction this quick. He told me Cloudanix alerted him of this password change and that he wanted to confirm as it was a critical security notification. I couldn't believe it!

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Compliance is one way of staying secure, but what I want is the ability to go deeper and attain 'true security.' Cloudanix provides us the capability to do so.

Vishal Madan
Vishal Madan
Head of Engineering, iMocha

Cloudanix is building for the future of the cloud, which makes the product all the more desirable.

Ritesh Agarwal
Ritesh Agarwal
CEO, Airgap Networks

Cloudanix gave us the visibility we were missing. Being able to move from permanent access to a robust Just-In-Time (JIT) workflow has fundamentally changed our security posture without slowing down our engineering velocity.

Pavan Kumar Lekkala
Pavan Kumar Lekkala
SRE Lead, HugoHub

We are excited to leverage Cloudanix's comprehensive multi-cloud DevSecOps solution to secure our production workloads on AWS. Cloudanix has demonstrated that it can solve many challenges that DevSecOps teams face while continually adding new features such as SOC2 compliance and drift detection.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Managing third-party partner access was once a major concern for our security posture. With Cloudanix JIT Cloud, we've effectively achieved zero third-party risk. We can now grant access confidently, knowing that it is temporary, audited, and automatically revoked, resulting in a 100% reduction in our privileged access exposure.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

The snooze feature and responsible alerts have helped us save time and prioritize what to tackle first.

Satish Mohan
Satish Mohan
Co-founder & CTO, Airgap Networks

Implementing Cloudanix JIT internally allowed us to practice what we preach. By eliminating permanent access to our own clouds and databases, we've neutralized the risk of standing privileges, ensuring our own 'keys to the kingdom' are never left exposed.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

The problem with permissions is a lot of times, the gaps are left open due to oversights from inside the organization itself. With Cloudanix's CIEM, we get a complete view of user permissions and access. This enables us to update the permissions, reducing the attack surface.

Nilesh Pethani
Nilesh Pethani
Application Architect, iMocha

In the world of Fintech, trust is our currency. Cloudanix provided the frictionless visibility we needed to secure our EKS workloads across AWS, ensuring we stay audit-ready for SOC2 and GDPR without slowing down our engineering velocity.

Amol Naik
Amol Naik
Head of Security & Infrastructure, HugoHub

Cloudanix delivered value within 5 minutes of onboarding. Continuous monitoring, timely detection, and excellent documentation helped us attain a great cloud security posture.

Divyanshu Shukla
Senior DevSecOps, Meesho

Technology strategies and business strategies are in a state of constant change which includes centralization and decentralization of responsibilities. Regardless of strategic shift, we still have intellectual property to protect. Cloudanix are critical partners for us in our public cloud security posture across our three cloud providers.

Jerry Locke
Jerry Locke
Senior Director Global Solutions Engineering, Eversana

Cloudanix has been amazing. They opened up a common Slack channel with us — and it feels like we are talking to our own team and getting things done with Cloud security. The support team is always available, friendly, helpful, and ready to go out of their way.

Satish Mohan
Satish Mohan
CTO, Airgap Networks

Beyond just access management, Cloudanix CSPM has given us a unified view of our AWS environment. The real-time alerting and anomaly detection allow us to prevent any untoward activity before it happens, which is critical for a marketplace connecting 50+ financial institutions.

Okesh Badhiye
Okesh Badhiye
Head of Technical Engineering, Finfinity

For a Fintech company, data is our most valuable — and most sensitive — asset. Cloudanix DAM hasn't just improved our visibility; it has given us control. The ability to mask data and prevent unauthorized queries in real-time is a game-changer for our compliance and customer trust.

Jiten Gala
Jiten Gala
President Engineering and Product, Kapittx

Our clients, especially in the Middle East financial sector, demand absolute accountability. Cloudanix JIT Cloud has been a competitive differentiator for us, allowing us to provide secure, governed access to customer accounts that meet their strictest audit and compliance requirements.

Girish Manghnani
Girish Manghnani
Managing Partner, Tech Inspira

Cloudanix is always on my team's lips because of its exceptional support. Be it a small or big query, Cloudanix has gone above and beyond to resolve them. This one's a keeper for us.

Sujit Karpe
Sujit Karpe
CTO, iMocha

For a long-lasting partnership, great support goes a long way. Cloudanix has delivered exceptional support whenever required. Their edge is their team is always ready to go beyond to solve any issues that we have. This speaks volumes about the culture at Cloudanix.

Akash Maheshwari
Akash Maheshwari
Co-founder, MoveInSync

Beyond the technology, Cloudanix feels like an extension of our own team. Their willingness to stand up a dedicated Middle East tenant for us and provide exceptional support at a sensible price makes them a long-term partner for Hugosave.

Surya Tamada
Surya Tamada
CTO, HugoHub

The real-time notifications that Cloudanix provides are a real lifesaver. Their adaptive notifications ensure that my team stays productive and doesn't get interrupted all the time.

Digvijay Singh
Staff Security Engineer, Meesho

The whole point in technological evolution is to help improve the world we live in. We must protect that and to do so requires an effective and efficient security strategy. The Cloudanix team helped make our public cloud security posture management strategy a reality. The symbiotic relationship we have allows for a continuous feedback loop which is how business should operate.

Larry Wheat
Larry Wheat
Staff Solutions Engineer, Eversana

Ready to see your graph?

Connect a cloud account in under 30 minutes. See every finding rooted in identity, asset, and blast radius — with a fix path attached.

Book a Demo