New technologies often present interesting challenges for security teams, with cloud services such as AWS, Azure and GCP providing particularly novel cases in comparison to “classic” on-premise systems. As cloud services race to add new features that drive new customer interest and increase retention of existing clients, there is a very real risk of exposing new threat vectors to the business if even the most minor of misconfigurations occurs. This makes the role of cloud administrators and their daily security practices all the more important.

Auditing administrator behavior has stood out as a must for many years, but as more and more administration functions move to hosted services, I’m seeing increasingly large gaps in the monitoring profiles of businesses. Specifically, I’m noticing that the tight controls that have been developed and refined for traditional IT are no longer in place.

Fortunately, the Center for Internet Security’s (CIS’s) guidelines around securing cloud platforms are largely in line with what many security teams would be familiar with. They include key controls such as:

AWS – 1.1 Avoid the use of the “root” account

The “root” account is the most privileged AWS account. Minimizing the use of this account and adopting the principle of least privilege for access management will reduce the risk of accidental changes and unintended disclosure of highly privileged credentials.

I’m sure most would agree that a control such as this would almost seem to be “common sense,” but the added pressure on cloud administrators to rapidly respond to new requirements as part of a Dev-Ops style workflow means that even simple controls like these can fail due to a desire to be seen to be responsive to the business’ needs. Such a perilous approach means that ensuring constant monitoring of the “fundamentals” is required. Indeed, a clear mandate (Read more...)