7 Steps to Avoid Top Cloud Access Risks

According to a recent investigation report released by the Cloud Computing Security Alliance (CSA), out of the 11 biggest threats facing cloud computing, configuration errors and insufficient change control ranked second, second only to data breaches.

A good example is the data breach of Capital One, which resulted in the breach of 106 million credit card customers and applicants. Cyber attackers exploited a vulnerability in the open source Web Application Firewall (WAF).



Through this vulnerability, a network attacker can obtain credentials to access the Web Application Firewall (WAF) to access all resources. Unfortunately, the Web Application Firewall (WAF) has been given too many permissions, that is, a network attacker can access all files in any data bucket and read the contents of these files. This allows cyber attackers to access S3 buckets that store sensitive data.

The most effective way to mitigate this identity abuse is to enforce the principle of least privilege. Ideally, each user or application should be limited to the exact permissions required.

The first step in implementing least privilege is to understand what permissions have been granted to users (whether people or machines) or applications. The next step is to map all the actually used permissions. The comparison between the two reveals the authority gap, which exposes the authority that should be retained and the authority that should be revoked. Therefore, this process must be performed continuously on a regular basis to maintain minimum privileges for a period of time.


Step 1: Check additional policies

The first step is to check the policy attached directly to the user. There are two types of strategies:


Step 2: Analyze the identity and access management (IAM) group

The next step is to check each identity and access management (IAM) group to which the user belongs. These also have additional policies that can indirectly grant users access to other resources. Just like the users themselves, groups can be attached to managed policies and inline policies.

Step 3: Mapping Identity and Access Management (IAM) roles

Now, all the identity and access management (IAM) roles attached to the user need to be mapped. It is similar to an identity and access management (IAM) user, but its role can be assigned to anyone who needs its permission, rather than being uniquely associated with a certain person. Roles are usually used to grant access to applications.

Step 4: Investigate resource-based strategies

Next, the focus of this step shifts from user policies to policies attached to resources. These policies can grant users the right to directly perform operations on the bucket, and have nothing to do with other existing policies (direct and indirect).

Step 5: Analyze the access control list

After the policy review is complete, the analysis should move to the access control list (ACL) linked to each resource. These are similar to resource-based policies and allow control over which identities in other accounts can access the resource. Because you cannot use an access control list (ACL) to control access to an identity in the same account, you can skip all resources owned in the same account as the user.

Step 6: View permissions boundaries

In this step, the authority boundary of each user needs to be checked. This is an advanced feature used to define the maximum permissions that a user, group, or role may have. In other words, the user's permission boundary defines the actions that they are allowed to perform based on additional policies and permission boundaries. It is important to note that permission boundaries do not affect every policy in the same way. For example, resource-based policies are not restricted by permission boundaries, and any explicit denial of any of these policies will override permission.

Step 7: Check the service control strategy

Finally, it is necessary to check the service control policy (SCP).

Enforce least privilege access

As one can see, protecting identities and data in the cloud is a challenge, which becomes more and more complex as organizations expand their cloud computing footprint. In many cases, users and applications tend to accumulate permissions that far exceed their technical and business requirements, which can lead to permission gaps.

Often, the work required to determine the precise permissions required for each user or application is costly and cannot be scaled. Even simple tasks such as understanding the permissions granted to individual users can be very difficult.


As people have seen, managing identity and access in a cloud computing environment to implement least privilege policies is very complicated, requires a lot of manual work, and is expensive. Since this subject is still in its infancy, it lacks reliable native tools provided by cloud platform providers. Under normal circumstances, third-party solutions are filling the gap in the market.