IAM The One Who Knocks

The presentation discusses the hidden risks of managing multi-cloud identity and access management (IAM) environments and the importance of protecting IAM as the core service.

• Different cloud providers have their own unique IAM infrastructure and access models, making it difficult for security professionals to manage multi-cloud environments.
• Non-human identities are becoming increasingly important in cloud security, and each vendor has its own implementation for managing them.
• Logs are crucial for detecting and responding to security incidents and building better permissions, but they have limits and can be manipulated by attackers.
• AWS has known vulnerabilities in IAM policies and logging, and attackers can exploit them to gain unauthorized access or exfiltrate data.
• IAM is the core service that controls every access to cloud resources, and it is the responsibility of cloud consumers to protect it.

The presenter shared an anecdote about a default service account in Google Cloud Platform that had the cloud platform access scope, which is virtually everything, and was vulnerable to a full account takeover vector. This highlights the importance of understanding IAM infrastructure and policies to avoid unintended access.

As organizations start their cloud journey, many are looking at leveraging multi-cloud for their infrastructure. Although this gives teams great flexibility in building their environments, each service provider has a unique paradigm for configuring and managing the configuration of resources, identities, and access permissions. For enterprises, multi-cloud environments make enforcing least-privileged access challenging, requiring new rules and permissions that are unique to each cloud environment. Implementing the least privilege model is much more difficult in the public cloud than on-premises.This talk presents the hidden risks of managing identities and access in a multi-cloud environment. We will expose access flaws and misconfigurations that attackers can easily abuse to gain access to confidential and sensitive information. We will discuss the inner workings of each cloud provider's Identity and Access Management (IAM) layers and highlight the differences between each cloud service. We then detail how inconsistent entitlements across cloud resources and services can lead to unintended access and how accountability confusion in the shared responsibility model can enable privilege escalation.We finish with our insights on using free, open-source tools that can significantly reduce the attack surface in an enterprise cloud environment and present our "Access Undenied" open-source tool that helps administrators tackle AccessDenied events (Live Demo). We close our talk by supplying actionable steps anyone can follow, providing a cheat-sheet comparison for the three primary cloud services AWS/Azure/GCP.