Using Solvo’s IAMagnifier to eliminate cloud access blind spots

Customer Profile

Solvo’s customer is a fast-growing multinational software company headquartered in the US developing various cloud-based enterprise applications, with geographically distributed engineering and operations teams across the globe. The company runs most of its infrastructure in the cloud, relying on AWS services to optimize application development and deployment processes, and scale applications globally at lower costs.

Challenge

The customer is using the AWS Organizations account management service to consolidate and centrally manage multiple AWS accounts, and secure access to cloud infrastructure resources. The company has set up an AWS account to host the development (DEV) environment, and another account to host the production (PROD) environment. To connect to a specific environment, users run the sts:assume role command, as shown in the diagram below:

Last year, a new junior developer joined one of the engineering teams. Rather than giving permission to assume the admin role in the development account, the DevOps engineer in charge of creating new accounts accidentally granted permission to the new employee to assume the admin role in the production account. As part of the training, the developer created and made changes to the infrastructure in the AWS account. Having access to the production account, the developer mistakenly connected to the production account and carried out the training there. During the training, the developer accidentally deleted an AWS CloudWatch subscription filter that sends log records to an external application performance monitoring (APM) system. As a result, an alert was triggered in the monitoring system. The operations team investigated the alert and found out that the developer deleted the integration. To mitigate this vulnerability, the operations team revoked the developer permissions and granted permissions only to the development environment.


This incident lasted 4 days. Fortunately, the APM tool created an alert about the change, and the operations team was able to resolve the issue before the system was affected. However, the incident exposed the company to a significant risk as during this time, since the developer could have made changes in the production account that could have affected service availability and data confidentiality.

Solution

Following the incident, the customer decided to implement a solution that would identify and provide alerts on issues such as misconfigured access permissions as soon as they occur. A key requirement was the ability to get real-time alerts while minimizing false positives to enable the operations team to focus on the most critical vulnerabilities.

The customer chose Solvo’s IAMagnifier for its ability to provide accurate, contextual visibility into the cloud environment. Using IAMagnifier, it was able to identify who has permission to execute the sts:assume role action for roles in the PROD environment, investigate and restrict how this permission is used, identify users with excessive permissions, and much more.

To prevent similar incidents from occurring in the future, an alert was created to notify the operations team (via Slack, Email, SNS, webhook, and more) when a user in the master account is given permission to assume a role in the production account.

Benefits

According to the company’s Head of Operations, with IAMagnifier in place, “the incident could have been resolved in minutes instead of days, reducing the risk of affecting the service availability or exposing sensitive data.”

By using IAMagnifer, the customer was able to gain visibility into its expanding cloud infrastructure. It can now run queries and create graph-based maps of users, cloud resources, and access policies, identify chains of permissions, continuously identify risky, unused or excessive permissions, and easily adjust or create least-privileged access policies accordingly.

Due to Solvo’s multi-dimensional, contextual monitoring and analysis of infrastructure resources, applications and user behavior, and the data associated with them, the customer can identify and prioritize vulnerabilities based on their exploitability and potential impact, and resolve them in a timely manner.

How IAMagnifier works

IAMagnifier is designed for ease-of-use and self-service.

To gain immediate insights into the cloud security posture, users simply have to perform the following steps:

Illuminate Cloud Risks, Empower Security.

Discover and address cloud risks effectively and empower your security team with the autonomy they need.

Or explore on your own time with a free trial

Request a demo