Intent IQ is an identity resolution pioneer enabling partners to confidently identify clients and prospects who interact with their sites, apps, and brick-and-mortar establishments, whether across their various screens or in person while keeping privacy top of mind. Beneficiaries include the media ecosystem, e-tailers, and financial institutions.
Backed by their future-proof identity resolution technology, Intent IQ has developed a suite of cookieless advertising solutions enabling cross-app, cross-site, and cross-device targeting, retargeting, and attribution. Using patented first-party ID clustering technology and the Intent IQ ID, their cookieless advertising solution creates an opportunity to generate incremental reach and conversions in Safari today, and Chrome tomorrow.
IntentIQ services are based on AWS infrastructure for many years , so experiencing a challenging IAM structure is expected (configuration drift and a lot of legacy/tech debt).
In an AWS account with users and groups having overly permissive policies, it becomes difficult to manage access controls and raises security concerns. Giving users too many permissions makes the system more prone to attacks, risking unauthorized access to sensitive resources. This not only threatens data confidentiality and integrity but also raises the likelihood of malicious activities in the account.
Furthermore, the challenge extends beyond security. With users possessing permissions beyond their actual needs, resource utilization becomes less than ideal, leading to potential performance bottlenecks. Additionally, the lack of detailed data in access controls complicates the tracking and auditing of user activities, damaging the ability to swiftly identify and respond to security incidents.
With the public nature of AWS management endpoints (console, CLI API), it is a good example of the “identity is the new perimeter” slogan, so IAM security requires high attention.
In response to the challenge of IAM users and user groups with widely exposed policies in the AWS account, a complete IAM optimization strategy based on the principle of least privilege (PoLP) was implemented.
The process began with an in-depth analysis of existing IAM users and groups, identifying over-permission & misplaced accounts. To achieve stricter policies, very specific inline policies were crafted for each IAM user group, these crafted policies were based on data gathered from both AWS Access Advisor and CloudTrail logs.
AWS Access Advisor is an important tool in detecting the specific AWS services utilized by each identity, but on its own it lacks granularity.
We wanted to determine exactly which action the identity performed on the services.
To achieve this level of granularity we needed to look at CloudTrail logs, but in an efficient and friendly way.
Athena queries were employed to search even deeper into user activities, pinpointing the exact actions performed within each service.
By querying CloudTrail of services that we gathered from the access advisor, we were able to see which actions exactly were performed, analyze it, and react to it. This highly detailed analysis allowed for the creation of highly accurate inline policies, ensuring that each IAM user was granted permission only for the actions they actively used in the past and present of a pre-determined time.
This dual approach strategy addressed the issue of overly permissive policies and strengthened security by following the principle of least privilege.
Simultaneously, IAM groups were strategically formed based on both departmental affiliations and team leader role criteria.
This organizational structure not only enhanced security but also simplified user management, contributing to an efficient and well-organized IAM framework.
Applying this IAM optimization solution improves the security, efficiency, and manageability of the AWS environment on multiple fronts.
Reduced Security Risks:
• By fine-tuning IAM policies through inline policies based on Access Advisor insights and Athena queries, the potential attack surface was minimized.
IAM users are granted only the permissions they actively use. This reduction in unnecessary permissions translates to a more secure environment, reducing the risk of unauthorized access/lateral movement and potential breaches.
Improved Operational Efficiency:
• IAM groups organized by department and team leader roles ensure that users have the necessary permissions for their roles and responsibilities. This not only reduces the complexity of access management but also optimizes resource allocation, contributing to improved operational efficiency.
Detailed visibility and auditing:
• Using Athena queries on user activities gives a detailed look at actions in each service. This increased visibility improves auditing, enabling more precise monitoring of user behavior. It supports compliance and helps quickly detect and respond to security incidents.
Simplified User Management:
• Sorting IAM groups by departments and team leader’s roles, makes managing users easier. This structure simplifies adding and removing users, ensuring they have the right access. When the organization changes, it’s easy to adjust IAM groups, making user management flexible and scalable.
In summary, IAM users with highly permissive policies, pose significant security and operational concerns. This case study delves into the proactive IAM optimization strategy based on the principle of least privilege employed by Oasis Communication Technologies to address this challenge, leveraging insights from AWS Access Advisor and Athena queries on CloudTrail logs.
The solution not only made security stronger but also improved how efficiently things operate and how users are managed. This all adds up to a more resilient and finely tuned AWS environment.
Additionally, implementing this method, enables the solution to evolve with changing organizational needs and usage patterns. This dynamic approach ensures that the IAM framework remains effective and aligned with the organization’s goals over time.
In essence, the result of implementing this solution is a more resilient, responsive, and secure AWS environment, where IAM policies and user access are finely tuned to match actual usage patterns, building a strong base for the organization’s cloud operations.
A Case Study by Or Kertis, Net&Sec Solution Architect at Oasis: Modernizing and Securing Global VPN Infrastructure with SASE Integration
Part 3 and last – webinar by Amos Rosenboim and Ofir Kapalushnik
About F5 Distributed Cloud Services
Leave your details below and we’ll get back to you shortly
