Implement appropriate security controls for privileged access as defined in the Authorization Concept. These must cover access to administrative cloud platform roles (e.g. Global Admins, Global Readers) and shared services (e.g. on-premise connectivity hubs).

What Is Privileged Access Management (PAM)?

In an enterprise environment, “privileged access” is a term used to designate special access or abilities above and beyond that of a standard user. Privileged access allows organizations to secure their infrastructure and applications, run business efficiently and maintain the confidentiality of sensitive data and critical infrastructure.

Access to cloud tenants is usually not a privileged operation from a cloud foundation perspective but for application teams it is the other way round. From the application team perspective, cloud tenants are an infrastructure and access to the application infrastructure is usually administrative/privileged. Application teams using these cloud tenants need to be equipped with appropriate means to secure access to the environments.

Key Points

Below you will find some important points to understand PAM better:

• Let us first understand what is open and closed landing zone.

  Open landing zone designs allow teams to create and modify Identity and Access Management (IAM) roles and permissions on cloud tenants. The cloud foundation only enforces a minimum set of IAM policies on the tenant.

  Closed landing zone designs on the other hand prevent teams from creating or modifying IAM roles and permissions on cloud tenants. Teams must request all such changes via the cloud foundation team.

  For more details on authorization and privileged access, please refer to the topic Resource Authorization Management.

• Emergency access accounts are highly privileged, and they are not assigned to specific individuals. Emergency access accounts are limited to emergency or "break glass"' scenarios where normal administrative accounts can't be used. It is recommended that you maintain a goal of restricting emergency account use to only the times when it is absolutely necessary. For example, when an important application has stopped functioning and operating users needs access to debug and fix the problem or when project access for a specific user must be immediately revoked due to an account compromise.

• PAM is grounded in the principle of least privilege wherein users only receive the minimum levels of access required to perform their job functions. The principle of least privilege is widely considered to be a best practice and is a fundamental step in protecting privileged access to high-value data and assets.

Implementation of PAM

Azure Active Directory (AAD)

Privileged Identity Management (PIM) is a service in Azure Active Directory (Azure AD) that enables you to manage, control, and monitor access to important resources in your organization. For more details, please refer to Azure AD Privileged Identity Management.

Google Cloud Identity

In Azure it is possible to restrict access to the production environment using Azure AD. This can be achieved using Google Cloud Organization Service. Also, if you use Google Cloud Directory Sync you can manage users through Azure Active Directory and use it to authenticate against Google Cloud.

AWS SSO

PAM solutions are designed to enforce consistent PAM best practices every time a new AWS account is set up, whether that’s by the security team, the infrastructure team or a single developer building an application. For more details, please refer to Managing temporary elevated access.

Related Tools

• GCP Fabric FAST

  Leverages the use of groups instead of directly assigning roles to users. The principle of least privileged is applied by assigning only necessary roles for each group. Furthermore, service accounts are created for automation that can be impersonated by selected groups.

  Learn More
• GCP CFT - Example Foundation

  Leverages the use of groups instead of directly assigning roles to users. The principle of least privileged is applied by assigning necessary roles for each group. Furthermore, service accounts are created for automation that can be impersonated by selected groups.

  Learn More
• GCP Setup Checklist

  Leverages the use of groups instead of directly assigning roles to users. The principle of least privileged is applied by assigning necessary roles for each group. Furthermore, service accounts are created for automation that can be impersonated by selected groups.

  Learn More
• Azure CAF Terraform Modules

  Service Principals created and have privilege only on each specific level, You can impersonate them to deploy modules from that level

  Learn More
• AWS Control Tower with Account Factory

  Uses IAM Identity Center service to offer preconfigured groups. You can then add users to those groups based in their role in the organization.

  Learn More
• AWS Control Tower with AFT

  By default, the user email set in the account request is assigned AdministratorAccess to the account. Additionally, groups created with CT are assigned with specific permissions. That is, AWSSecurityAuditPowerUsers group is assigned. AWSPowerUserAccess , AWSControlTowerAdmins group is assigned AWSOrganizationsFullAccess , AWSSecurityAuditors group is assigned AWSReadOnlyAccess to that account.

  Learn More
• AWS Landing Zone Accelerator

  By default it defines only an Administrator group. But as you can base it on AWS Control Tower, you can make use of the advanced default roles created by AWS Control Tower.

  Learn More

Did this page help you?