AWS Partner Network (APN) Blog

How to implement Zero Standing Privileges with CyberArk for securing access to the AWS console

By Rajendra Kulkarni, Sr. Partner SA Security AWS
By Anat Eytan-David, Sr. Product Manager CyberArk

CyberArk logo
CyberArk

Velocity, agility, and efficiency are key when it comes to cloud native developments. Developers strive to deliver results quickly and take responsibility for the entire process, from initial development to final production. At the same time, securing access to critical cloud environments like the AWS console is essential to protect sensitive data and resources.

Too often, this results in a tradeoff between user experience and security controls, leading to inefficiency, adoption challenges, and potential security gaps. Developers just want to do their jobs, but security teams need to limit access and apply robust access controls.

In this post, we will discuss why it is important to secure access to the AWS console and services, and how it can be done efficiently and securely while not impacting the required velocity and experience of the developers. We’ll explore a solution from CyberArk that balances these needs through zero standing privileges, the least privilege access, and automated approvals.

CyberArk is a leader in identity security. They’re an AWS Security Competency Partner and AWS Marketplace Seller. The CyberArk identity security platform is delivered as SaaS and chosen by many AWS Customers to secure their cloud estate.

Why should you protect the AWS Cloud management and services?

The AWS Console is the central hub for managing your cloud environment, providing access to a wide range of services and resources. While the Console offers tremendous flexibility and control, it is also a prime target for unauthorized access, which could lead to the compromise of your entire cloud infrastructure, business data, and customer information.

It is crucial to treat the AWS Console as a sensitive environment and implement robust security measures to protect access. This starts with following the principle of least privilege, where users are granted the minimum necessary permissions to perform their tasks, rather than being granted broad, unrestricted access.

Who should you cover with these controls?

“Privileged users” is a term originally coming from traditional IT world, it used to refer only to users (in most cases from IT) that has access administrative access to the most sensitive resources, and their permissions are well-defined and known.

However, in the cloud, the roles aren’t well-defined, developers are the owners from development to production and if you don’t manage their access properly, they will soon gain administrative access to production environments. Often entitlements are only needed for a short period of time.

To further complicate matters, even the concept of read-only in the cloud is different from the expectations of an on-prem workload. Read-only access to an AWS console will enable the user to review the contents of blob storage or understand the configuration of services and the access mapped to other users. This generally allows an attacker to build a map, used to plan their next phase of attack.

This is why we say: in the cloud you can’t distinguish between privileged and non-privileged users anymore, all users have the capability to access high-risk resources and thus should be subject to some controls.

Secure Cloud Access Solution Overview

CyberArk Secure Cloud Access (SCA) introduces the principle of zero standing privileges, meaning users have no entitlements in AWS console by default. The entitlements are granted only when requested and revoked automatically at the end of the session, leaving the cloud console with zero standing privileges. This way, if a bad actor bypasses the access controls and connects directly into the AWS console, no entitlements are available.

CyberArk Entitlement

Figure 1 – Entitlements to grant access status

  • In addition, it enforces the least privilege by granting only the required access. This way, the risk of excessive permissions and permissions sprawl is mitigated.
  • It is integrated with AWS console and allows the developers to use the same tools as they use today natively to access the Cloud console and CLI.
  • It supports multiple AWS organizations to drive consistency in experience and controls.
  • It follows the AWS guidance for temporary elevated access.

Common use-cases

Daily access

Developers need to connect to the AWS console for different development tasks such as research, configuration, and maintenance. They usually access the same accounts with the same permissions, almost daily.

To reduce the risk, CyberArk works to remove ALL permissions from the cloud environment. The user’s access should be granted only when it is needed and in this case, based on policy configured in CyberArk SCA. To minimize the potential attack surface, you can define in SCA who can use the access, when and for how long, entitlements will be granted. This is written ONLY when they actually connect, this way leaving the environment with zero standing privilege, access, and eligibility will be revoked automatically, reducing the risk of permissions sprawl and excessive permissions.

To top this all off, there are no changes to a developer’s workflow. Controls are applied at an entitlement level, without the need for anything like a patched CLI or an agent on the developer’s workstation. Development teams can use the native tools they are comfortable and used to.

On-demand access

Often you will find a situation where a developer is asking to get a high-risk entitlement (like admin access to the production environment) saying they need the permissions to address a customer issue. It may not be an access they need to use daily, but on this rare occasion it is warranted. Yet, it is highly privileged access to a sensitive resource.

High-risk access like this one should not be available to the developers by default, and should be approved and granted only when it is truly needed.

CyberArk Secure Cloud Access allows the developer to submit a request indicating what access is needed, and when.

This way, the developer has an easy and simple way to request access, and the bonus is that we can reduce unused excessive permissions, knowing the developer has a way to request them when needed.

Urgent access

Imagine, it is now 2AM and the on-call developer just received an urgent escalation, that requires the on-call developer to connect into the AWS console.

Today, it’s common for developers to simply have standing administrative access into production environments all the time, just for these rare-cases.

CyberArk SCA has a context-based automatic approval workflow, which allows the cloud security team to define what are the criteria of the request that will be subject to an automatic approval vs. manual approval.

Using the context-based mechanism, it is possible to define conditions to allow the on-call engineers to get such access automatically when they need to connect to their application’s AWS accounts.

How it works

  1. When the developers need to access the AWS management, they connect into the CyberArk Identity Security Platform
  2. They select the AWS Organization or AWS Account they need to connect to
  3. If they are already eligible for the permissions they need, they simply connect, and the session will grant them the permissions they need
  4. If the permissions they need aren’t available for them, they can submit an on-demand access request, specifying the scope they need to access, the permission, justification, when they will need the permissions and for how long
  5. The system evaluates the request and based on the context of the request and the defined conditions the permissions are either approved automatically and the developers can connect, or the request is sent to an approver.
  6. CyberArk SCA can support different approval channels, Slack and SNOW are supported and commonly used, and the customer can customize the workflow to integrate with any external ticketing system.
  7. All access requests, approvals, and connection activities are audited for any future investigation
  8. At the end of the session, CyberArk SCA revokes the permissions automatically, leaving the AWS Management with Zero standing privileges.

Zero Standing Privilege Architecture

CyberAk SCA

Figure 2 — Zero Privilege Architecture

Conclusion

CyberArk Secure Cloud Access provides Zero Standing Privileges solution for accessing the AWS console and services, and is one of the recommended solutions to manage temporary elevated access in AWS.

Using CyberArk SCA cloud security teams can reduce excessive permissions, control, and manage the access easily while reducing operational costs, the developers continue and use their native tools, and their velocity isn’t impacted.




CyberArk — AWS Partner Spotlight

CyberArk is an AWS Advanced Technology Partner and AWS Competency Partner that provides an advanced monitoring solution for cloud apps and modern infrastructure that aggregates metrics across distributed services to alert you on service-wide issues and trends in real-time.

Contact CyberArk | Partner Overview | AWS Marketplace