Access Management for Cloud
Overview
Effective access management is critical for securing cloud services, ensuring only authorized users access appropriate resources.
Learning Objectives
- Implement cloud access control
- Configure identity federation
- Apply least privilege principle
- Conduct access reviews
- Apply ISO 27017 access controls
ISO 27017 Access Controls
A.9.1.1 - Access Control Policy
Customer Requirements:
- Document access control policy
- Define access requirements by role
- Implement least privilege
- Regular access reviews
- Segregation of duties
A.9.2.1 - User Registration and Deregistration
Lifecycle Management:
User Lifecycle in Cloud
┌──────────────────────────────────┐
│ 1. Provisioning │
│ ├─ Identity verification │
│ ├─ Role assignment │
│ ├─ Access approval │
│ └─ Account creation │
├──────────────────────────────────┤
│ 2. Modification │
│ ├─ Role changes │
│ ├─ Permission updates │
│ ├─ Re-approval (if needed) │
│ └─ Audit logging │
├──────────────────────────────────┤
│ 3. Review │
│ ├─ Quarterly reviews │
│ ├─ Certification by managers │
│ ├─ Remove unused access │
│ └─ Document results │
├──────────────────────────────────┤
│ 4. Deprovisioning │
│ ├─ Termination trigger │
│ ├─ Immediate access removal │
│ ├─ Data ownership transfer │
│ └─ Account archival/deletion │
└──────────────────────────────────┘
Identity and Access Management (IAM)
Cloud IAM Components
| Component | Purpose | Example |
|---|---|---|
| Users | Individual identities | [email protected] |
| Groups | Collections of users | developers, admins |
| Roles | Set of permissions | ReadOnly, AdminAccess |
| Policies | Permission definitions | Allow s3:GetObject |
| Resources | Cloud services/data | S3 buckets, VMs |
Least Privilege Implementation
Privilege Hierarchy (Least to Most)
Level 1: Read-Only Access
├─ View resources
├─ Read configurations
└─ No modifications
Level 2: Specific Resource Access
├─ Read/write to specific resources
├─ Limited to job function
└─ Time-bounded (if possible)
Level 3: Service-Level Access
├─ Manage specific service
├─ Create/modify/delete resources
└─ Within defined boundaries
Level 4: Administrative Access
├─ Manage users and permissions
├─ Configure security settings
├─ Access audit logs
└─ Requires MFA + approval
Level 5: Root/Owner Access
├─ Full account access
├─ Break-glass only
├─ Heavily monitored
└─ Multiple approval required
Identity Federation
A.9.1.2 - Access to Networks and Network Services
Single Sign-On (SSO) Architecture:
┌─────────────────────────────────────┐
│ Corporate Identity Provider │
│ (Active Directory, Okta, Azure AD) │
└──────────┬──────────────────────────┘
│ SAML 2.0 / OIDC
│
┌──────────▼──────────────────────────┐
│ Cloud Service Provider │
│ ┌────────────────────────────────┐ │
│ │ Identity Federation │ │
│ │ - Trust relationship │ │
│ │ - Attribute mapping │ │
│ │ - Role assignment │ │
│ └────────────────────────────────┘ │
└─────────────────────────────────────┘
Benefits:
- Centralized user management
- Single set of credentials
- Automated provisioning/deprovisioning
- Consistent access policies
- Better audit trail
Federation Example (AWS)
<!-- SAML Assertion Mapping -->
<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
<AttributeValue>
arn:aws:iam::123456789012:role/Developers,
arn:aws:iam::123456789012:saml-provider/Corporate-IdP
</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/SessionDuration">
<AttributeValue>28800</AttributeValue> <!-- 8 hours -->
</Attribute>
Multi-Factor Authentication
A.9.4.2 - Secure Log-on Procedures
MFA Implementation:
| MFA Type | Strength | Use Case |
|---|---|---|
| SMS | Low | Not recommended |
| Low | Not recommended | |
| TOTP App | Medium | Standard users |
| Hardware Token | High | Privileged users |
| Biometric | High | Mobile access |
| FIDO2/WebAuthn | Highest | Phishing-resistant |
MFA Enforcement Policy:
MFA Requirements:
All Users:
├─ MFA required for console access
├─ MFA required for API access
└─ MFA device registered within 7 days
Privileged Users:
├─ Hardware MFA required
├─ MFA for all operations
├─ Re-authentication every 4 hours
└─ Cannot disable MFA
Root/Owner Accounts:
├─ Multiple MFA devices registered
├─ Hardware MFA only
├─ Break-glass procedures documented
└─ Usage heavily monitored and alerted
Role-Based Access Control (RBAC)
Defining Roles
Example Cloud Roles
Developer Role:
├─ Permissions:
│ ├─ Read: All application resources
│ ├─ Write: Development environment
│ ├─ Deploy: Staging environment
│ └─ View: Logs and metrics
├─ Restrictions:
│ ├─ No production write access
│ ├─ No IAM modifications
│ ├─ No cost management
│ └─ No security config changes
└─ Conditions:
├─ MFA required
├─ Corporate IP range
└─ Business hours only
Security Analyst Role:
├─ Permissions:
│ ├─ Read: All resources
│ ├─ Read: All logs and metrics
│ ├─ Read: Security configurations
│ └─ Write: Security tools only
├─ Restrictions:
│ ├─ No resource modification
│ ├─ No data access
│ └─ No IAM changes
└─ Conditions:
├─ MFA required
└─ No time restrictions
Access Reviews
A.9.2.5 - Review of User Access Rights
Review Process:
Quarterly Access Review
Week 1: Preparation
├─ Generate access reports
├─ Identify inactive accounts
├─ Flag excessive permissions
└─ Distribute to managers
Week 2-3: Review
├─ Managers certify access
├─ Justify exceptions
├─ Request removals
└─ Document decisions
Week 4: Remediation
├─ Remove unauthorized access
├─ Update permissions
├─ Disable inactive accounts
└─ Document changes
Ongoing: Monitoring
├─ Alert on new high-privilege access
├─ Monitor for access violations
├─ Track review completion
└─ Audit trail maintenance
Access Review Report
User: [email protected]
Manager: [email protected]
Last Review: 2024-01-15
Current Access:
├─ AWS Account: Production
│ ├─ Role: Developer (6 months)
│ └─ Permissions: EC2, S3 read/write
├─ Azure Subscription: Development
│ ├─ Role: Contributor (1 year)
│ └─ Last Used: 90 days ago ⚠
└─ Salesforce
├─ Role: Standard User (2 years)
└─ Last Used: 2 days ago
Recommendations:
├─ Remove Azure access (inactive) ⚠
├─ Review AWS S3 write access (rarely used)
└─ Continue Salesforce access ✓
Manager Action Required:
[ ] Certify all access
[ ] Remove Azure access
[ ] Adjust AWS permissions
Privileged Access Management
A.9.2.3 - Management of Privileged Access Rights
PAM Controls:
Privileged Access Management
┌──────────────────────────────────┐
│ 1. Just-in-Time Access │
│ - Request-based elevation │
│ - Time-limited (1-8 hours) │
│ - Approval workflow │
│ - Automatic expiration │
├──────────────────────────────────┤
│ 2. Session Monitoring │
│ - Record privileged sessions │
│ - Real-time monitoring │
│ - Anomaly detection │
│ - Audit trail │
├──────────────────────────────────┤
│ 3. Credential Vaulting │
│ - Secure credential storage │
│ - Automatic rotation │
│ - Check-out/check-in │
│ - Audit logging │
├──────────────────────────────────┤
│ 4. Break-Glass Procedures │
│ - Emergency access process │
│ - Multiple approvals │
│ - Immediate alerting │
│ - Post-incident review │
└──────────────────────────────────┘
Service Accounts and API Access
A.9.4.5 - Access Control to Program Source Code
API Key Management:
API Key Lifecycle
1. Creation
├─ Request and approval
├─ Generate with minimal permissions
├─ Set expiration (90 days recommended)
└─ Document purpose and owner
2. Storage
├─ Never in source code
├─ Use secrets management (HashiCorp Vault, AWS Secrets Manager)
├─ Encrypt at rest
└─ Access logging
3. Rotation
├─ Scheduled rotation (90 days)
├─ Emergency rotation capability
├─ Dual-key overlap period
└─ Automated where possible
4. Revocation
├─ Immediate upon compromise
├─ Project end
├─ Owner departure
└─ Verification of deletion
Cloud Access Security Broker (CASB)
CLD.9.5.1 - Cloud Service Customer Monitoring
CASB Capabilities:
CASB Functions
├─ Visibility
│ ├─ Shadow IT discovery
│ ├─ User activity monitoring
│ ├─ Data flow mapping
│ └─ Risk assessment
│
├─ Data Security
│ ├─ DLP policies
│ ├─ Encryption enforcement
│ ├─ Tokenization
│ └─ Classification
│
├─ Threat Protection
│ ├─ Anomaly detection
│ ├─ Malware detection
│ ├─ Account compromise detection
│ └─ Insider threat detection
│
└─ Compliance
├─ Policy enforcement
├─ Compliance reporting
├─ Audit trail
└─ Regulatory controls
Key Takeaways
- Implement least privilege access
- Use identity federation for SSO
- Enforce MFA for all users
- Conduct regular access reviews
- Manage privileged access carefully
- Monitor and log all access
- Use CASB for visibility and control
Self-Assessment
- What is the principle of least privilege?
- How does identity federation work?
- Why is MFA important?
- How often should access reviews be conducted?
- What is Just-in-Time access?