To reduce mismanagement of complex cloud services overstuffed with multiple accounts and projects, end users should consider least privileged access as a core tenet, and then support that practice with role-based policies, multi-factor authentication and secrets management, according to Don Edwards, worldwide tech leader, identity, at Amazon Web Services.
Consider how best to securely organize your accounts according to user needs, and then apply least-privilege standards to those accounts, said Edwards in an interview with SC Media at the CyberRisk Alliance's Identiverse Conference last week. "For example, you might want to have a vertical of accounts that are for security purposes and [have] very limited access to those accounts. All of your logs and ... analysis tools go into those security-related accounts," he explained.
"Those would be kept separate from your development accounts, which tend to have more loose identity and access management policies. And those would be kept separately from your production accounts, which again, would have very strict rules around who can access what."
Especially for your highest privileged accounts, such as root accounts, multi-factor authentication is "absolutely essential," Edwards asserted. Ideally, passwords for cloud access would be eliminated altogether, he added, but if you do use passwords, then keep them short-term, for only as long as the users need them for a particular project, he added.
Edwards also advised looking at privileged as an ongoing, evolving journey. "So you want to start off with the policies that you think are at least privilege and then continuously analyze them to make sure that the reality ... of the usage is is the same as the what the policies actually allow," he said.
For more insights and advice from Edwards, watch the embedded video.