AWS Access Security Mistakes our Customers Have Made — and How to Fix Them

April 24th, 2017   /     /   smarter identity

Recently I’ve been looking into how our customers use Amazon Web Services (AWS), and a recurring theme is how it’s one of their most critical resources. We’re seeing that as customers grow, their AWS environments become more complex as they have to scale access to sensitive resources for many end-users across many AWS environments.

Although AWS provides a number of identity and access management (IAM) tools and best practices to help with this process, it can still be difficult to achieve the visibility and control you need to maximize security and efficiency.

Because of this, OneLogin built an integration with AWS for secure multi-role, multi-account access. This helps our customers automate and scale access control to thousands of critical AWS resources. But recently we decided to take a look deeper into current AWS access security challenges that many organizations face, and explore how OneLogin can help even further.

Deconstructing AWS Access Security

To start things off, we decided to deconstruct AWS access security into three areas:

  1. How users sign-in to AWS
  2. How companies control access to AWS
  3. How companies manage and protect multiple AWS environments

Using this framework, we took a closer look at our customer base and studied how various companies have been using and securing access to AWS. Here’s what we found.

Weak sign-in configurations are commonplace

Our first interesting observation was how many organizations in the wild use weak sign-in configurations such as shared credentials for AWS accounts. Using shared credentials without enabling multi-factor authentication (MFA) or adaptive authentication, for example, is commonplace for many organizations and exposes them to serious security risks.

Many organizations will also use a password to sign-in to a SaaS application instead of a secure token sign-in such as SAML. This leaves the company vulnerable to phishing emails attempting to gain access to sensitive resources. That’s scary when you consider that 85% of organizations have suffered phishing attacks.

In addition, the shockingly common practice of using simple user/password login without HR-driven Identity to manage the user lifecycle, such as automating user onboarding and offboarding, creates significant risks. Consider the risk that former employees can gain control over AWS resources and effectively shut down a company’s online business. This happens more often than you think: half of ex-employees can access their former employer’s network.

These poor practices are not unique to AWS but become critical sources of vulnerability when your org needs to protect resources such as production servers and source code. It’s possible to address them directly in AWS, but the challenge is addressing them in a way that is scalable, automated and integrated with your corporate directory- not only with AWS but across your entire application and service portfolio.

Orgs are granting the wrong level of access

When studying how customers implement access control, we noticed that companies provide AWS access to a variety of organizational roles. The common ones are the most obvious: engineering, IT, Tech Operations and developers. But there are also less common roles such as sales, marketing and finance functions, and granular roles such as on-call engineers. Each of these has different security and productivity needs.

Despite this, many companies do not implement refined access control for least privilege access. AWS Roles is a powerful tool for assigning least privilege access, yet our research found that 75% of companies don’t use AWS Roles for granular AWS privileges. In fact, many just use default access settings. This is especially challenging since many organizations suffer from AWS account sprawl and potential shadow IT, and anyone with a credit card can create their own AWS account.

This means that many users have the wrong set of permissions, which is just asking for trouble. This may even lead to a lockdown since it’s not safe to grant access to additional team members due to the overly strong privileges.

How OneLogin Can Help

Setting up the OneLogin AWS Multi-Account Connector enables companies to accomplish three key objectives:

  1. Secure token sign-in for their users to reduce phishing attacks. This includes advanced means such as Adaptive MFA.
  2. Role-based access control (RBAC) to implement least privilege access.
  3. Scalable security model to extend the above across all your AWS accounts.

In addition, our AWS Multi-Account Connector empowers organizations with the power to extend the OneLogin SSO user experience to users who want to access AWS resources along with their other authorized resources and apps. End-users see only a single tile for one-click access to all of their permitted AWS accounts. And when a user logs into the AWS Management Console using OneLogin SSO, she sees an AWS page that gives her a choice of AWS accounts and roles to which you have given her access, for optimal productivity and security for the task at hand.

More AWS Best Practices

Check out our AWS IAM Kit Kit to learn more about how you can secure your AWS environment. It contains a collection of resources which can help you automate best practices for improved visibility, efficiency, and security.

The kit includes a free whitepaper, data sheet, on-demand webinar and a full version of this nifty Three Steps To Securing AWS Access infographic, which can help admins structure their approach to protecting AWS resources through multiple steps such as adding multi-factor authentication. If you find these resources helpful, be sure to sign up for a free OneLogin account or contact us for a customized demo.

We will continue to enrich our integration with AWS and add additional resources to help you better secure AWS access. In the meantime, feel free to contact us to learn how we can help you secure AWS.

About the Author

Jonathan Bennun is a Product Management leader with over 15 years of experience in various roles in the tech industry, including software engineering, consulting and product management. Now at OneLogin, he leads the Devices and Authentication teams. His primary mission is to deliver new, innovative services and to improve the customer user experience on web and mobile.

View all posts by Jonathan Bennun