Privileged Access Management
Implement appropriate security controls for privileged access as defined in the Authorization Concept. These must cover access to administrative cloud platform roles (e.g. Global Admins, Global Readers) and shared services (e.g. on-premise connectivity hubs). What Is Privileged Access Management (PAM)?
Privileged Access Management (PAM) refers to the implementation of security measures and best practices to control and monitor access to critical resources within cloud platforms. For cloud foundation teams, it is about safeguarding administrative roles that enable access to core infrastructure, ensuring the security, compliance, and visibility needed to oversee application teams' cloud usage.
๐ก From the perspective of application teams, privileged access management refers to access to cloud tenants and infrastructure running their workloads. The cloud foundation maturity model discusses this perspective separately in the Resource Authorization Management capability.
This article explores the essential aspects of Privileged Access Management and provides best practice recommendations for AWS, Azure, and GCP.
The Significance of Privileged Access Management
Privileged Access Management is essential for several reasons:
Security: Protecting privileged accounts is critical to prevent unauthorized access and potential security breaches that could lead to data leaks or system compromises.
Compliance: Many regulatory standards require strict control and monitoring of privileged access, making PAM crucial for maintaining compliance.
Operational Efficiency: Proper PAM ensures that authorized users have the necessary access to perform their duties efficiently, reducing operational risks.
Auditing and Monitoring: It allows for comprehensive tracking and auditing of actions taken by privileged users, enabling timely threat detection and response. This is usually provided by Centralized audit logs.
Privileged Roles for Cloud Foundation Teams
A typical cloud foundation will have various roles, each with its set of responsibilities. These roles typically include:
Security Auditors: Responsible for ensuring compliance and security across cloud resources.
Billing Admins: Manage financial aspects of cloud usage and allocate costs to various teams or projects.
Network Admins: Oversee networking configurations, ensuring connectivity and security.
Platform Engineers: Responsible for deploying Landing zones, performing or automating Tenant Provisioning, Tenant Deprovisioning / Decommissioning as well as deploying individual services as part of Modular Landing Zones.
Emergency Access Accounts and "Break Glass Routine"
Emergency access accounts are a crucial part of PAM. These accounts are reserved for rare, critical situations, such as when standard access mechanisms fail or during security incidents. To ensure controlled access:
Define Strict Access Procedures: Create detailed procedures for who can access these accounts and under what circumstances.
Regular Review: Periodically review and update these procedures to ensure their effectiveness.
Multi-Factor Authentication (MFA): Enforce MFA for emergency accounts to add an extra layer of security.
If your organization is already using on-premise Privileged Access Management solutions like CyberArk, you can extend their capabilities to the cloud. These solutions offer centralized control and monitoring of privileged access, making them valuable in a multi-cloud environment.
Best Practices for Implementing Privileged Access Management
AWS Privileged Access Management Best Practices
Root User Credential Management: The AWS root user should have its password securely stored and only accessed through a well-documented and tightly controlled "break glass" procedure. Cloud Foundation teams should not hand over these credentials to application teams.
Use IAM Roles: AWS Identity and Access Management (IAM) roles should be employed for day-to-day administrative tasks instead of root user access.
Temporary Access: Assume privileged roles only for the duration necessary to perform administrative operations to implement Temporary Elevated Access.
Azure Privileged Access Management Best Practices
Azure Active Directory (AAD) provides built-in PAM mechanisms:
Azure Privileged Identity Management (PIM): Azure PIM allows just-in-time privileged access, ensuring roles are only active when needed.
Azure Conditional Access: Implement Conditional Access policies to restrict access based on various criteria, such as location, device, and risk.
๐ก Leveraging some of these features requires AAD Premium P1 or P2 Licenses.
GCP Privileged Access Management Best Practices
GCP does not have similar built-in PAM capabilities like AAD. Its lack of Root user credentials (like in AWS) however simplifies PAM management.
- External Identity Providers: GCP allows you to integrate with external identity providers (IdPs), such as Google Workspace, LDAP, or SAML-based providers. This allows leveraging existing PAM mechanisms of the external identity provider.
In conclusion, Privileged Access Management is a cornerstone of cloud security and governance. By implementing the best practices outlined for AWS, Azure, and GCP, cloud foundation teams can ensure the integrity and security of their cloud infrastructure while supporting the diverse needs of their application teams.
Related Tools
- GCP Fabric FAST
Leverages the use of groups instead of directly assigning roles to users. The principle of least privileged is applied by assigning only necessary roles for each group. Furthermore, service accounts are created for automation that can be impersonated by selected groups.
Learn More - GCP CFT - Example Foundation
Leverages the use of groups instead of directly assigning roles to users. The principle of least privileged is applied by assigning necessary roles for each group. Furthermore, service accounts are created for automation that can be impersonated by selected groups.
Learn More - GCP Setup Checklist
Leverages the use of groups instead of directly assigning roles to users. The principle of least privileged is applied by assigning necessary roles for each group. Furthermore, service accounts are created for automation that can be impersonated by selected groups.
Learn More - Azure CAF Terraform Modules
Service Principals created and have privilege only on each specific level, You can impersonate them to deploy modules from that level
Learn More - AWS Control Tower with Account Factory
Uses IAM Identity Center service to offer preconfigured groups. You can then add users to those groups based in their role in the organization.
Learn More - AWS Control Tower with AFT
By default, the user email set in the account request is assigned AdministratorAccess to the account. Additionally, groups created with CT are assigned with specific permissions. That is, AWSSecurityAuditPowerUsers group is assigned. AWSPowerUserAccess , AWSControlTowerAdmins group is assigned AWSOrganizationsFullAccess , AWSSecurityAuditors group is assigned AWSReadOnlyAccess to that account.
Learn More - AWS Landing Zone Accelerator
By default it defines only an Administrator group. But as you can base it on AWS Control Tower, you can make use of the advanced default roles created by AWS Control Tower.
Learn More
