CSA CCM IAM-16
Authorization Mechanisms

Authorization is a critical component of identity and access management. It's the process of verifying that a user or system has permission to access specific data or perform certain functions. Defining, implementing and evaluating robust authorization processes, procedures and technical controls is essential for maintaining the security of your cloud environment.

Where did this come from?

This control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26. You can download the full matrix from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM provides a comprehensive set of controls that are aligned to leading standards, best practices and regulations. For more information on authorization in AWS specifically, check out the AWS Identity and Access Management documentation: https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Who should care?

  • Cloud architects designing secure environments
  • Developers building applications that handle sensitive data
  • Security engineers responsible for access control
  • Compliance officers ensuring adherence to standards and regulations

What is the risk?

Without proper authorization controls in place, users or systems may gain access to data or functions they shouldn't. This could lead to:

  • Data breaches exposing sensitive information
  • Unauthorized modification or deletion of critical data
  • Abuse of elevated privileges to perform malicious actions Strong authorization mechanisms can significantly reduce the likelihood and impact of these risks by ensuring only authorized entities can access protected resources.

What's the care factor?

Authorization should be a top priority for any organization operating in the cloud. Unauthorized access is consistently one of the biggest causes of data breaches. The financial and reputational damage from inadequate authorization can be severe, especially for companies handling regulated data like financial or health records. Investing time upfront to get authorization right will pay major dividends.

When is it relevant?

Authorization mechanisms should be applied whenever:

  • Sensitive data is being stored or processed
  • privileged actions can be performed (e.g. modifying configurations)
  • Compliance standards or regulations must be met Authorization may be less critical for purely public data or isolated test/dev environments. But in general, it's better to start with a "default deny" stance.

What are the trade-offs?

Implementing granular authorization controls requires careful planning and ongoing management. It can add complexity to system design and maintenance. Overly restrictive policies can hamper productivity if not well tuned. And there is always a balance between security and usability. However, the security benefits usually far outweigh these costs. Leveraging cloud provider tools and a well-considered authorization model can streamline implementation.

How to make it happen?

  1. Catalogue your sensitive data and critical system functions. Determine what needs to be protected.
  2. Design your authorization model. Use role-based access control (RBAC) principles to define a clear set of roles and permissions that support your business needs with least privilege.
  3. Implement the technical controls:
    • In AWS, use IAM users, groups and roles to define principals.
    • Create granular IAM policies that specify exactly which actions and resources each principal can access. Favor separate policies for each requirement.
    • Attach policies to IAM groups for baseline permissions.
    • Use IAM roles and trust policies to enable secure cross-account access and identity federation.
    • Leverage AWS managed policies for common use cases.
  4. Integrate authorization checks into your application code. Use AWS SDKs and signing mechanisms to ensure all requests are properly authorized.
  5. Monitor and alert on authorization activity using AWS CloudTrail and IAM Access Analyzer. Trigger alerts on root user activity, IAM policy changes, unauthorized API calls, etc.
  6. Regularly review and update authorization policies. Use access reviews and automated analysis tools to find and fix excess permissions.

What are some gotchas?

  • Incorrect IAM policy syntax can lead to unintended access. Use the IAM policy validator and policy simulator to check policies.
  • Be very cautious with "Resource":"*" in IAM policies. This can easily provide more access than intended.
  • Managing inline policies on individual users/roles doesn't scale. Prefer group and AWS managed policies.
  • AWS service roles and instance profiles need specific trust policies. Make sure EC2 instances have permissions to assume roles.
  • Changing attached policies has immediate effect. Have a rollback plan.

Key IAM permissions:

  • iam:CreatePolicy, iam:CreatePolicyVersion, iam:AttachRolePolicy, etc - for policy management
  • iam:PassRole - to allow an identity to pass a role to a service
  • sts:AssumeRole - to allow identities to assume roles

See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_permissions_reference.html

What are the alternatives?

  • Attribute based access control (ABAC) using tags is an alternative to traditional RBAC. It can provide more flexible and dynamic authorization.
  • Open Policy Agent (OPA) is an open source solution for unified, fine-grained authorization across cloud native environments.
  • Custom Lambda authorizers allow you to define custom authorization logic for APIs.

Explore further

Blog

Learn cloud security with our research blog