Full Report
Cloud identity permissions are complex. So complex that innocent looking permissions provided to 3rd party vendors can lead to unintended exposure of all of your data.
Analysis Summary
# Best Practices: Minimizing Cloud Security Risk from Third-Party Vendor Permissions
## Overview
These practices address the critical and widespread security risk posed by granting excessive, unnecessary, or poorly understood permissions (IAM roles) to third-party vendors in cloud environments (specifically highlighted in AWS, but applicable cross-cloud in Azure/GCP). The goal is to drastically reduce the attack surface inherent in the third-party supply chain by adhering strictly to the principle of least privilege.
## Key Recommendations
### Immediate Actions
1. **Conduct an Inventory of External Identities:** Immediately identify and document every third-party vendor identity, application, or external IAM role currently active in your cloud environment(s).
2. **Scrutinize High-Privilege Roles:** Review all third-party roles granted management or highly privileged policies (e.g., roles allowing over 76% of analyzed organizations had potential for account takeover).
3. **Audit Wide Read Policies:** Specifically search for the widespread use of policies like `AWSReadOnlyAccess` granted to third parties, recognizing that this grants broad read access to sensitive stores (S3, databases, SQS).
4. **Verify Current Need:** For every external role identified, verify with the business or application owner *today* that the permissions granted align precisely with the current operational requirements.
### Short-term Improvements (1-3 months)
1. **Restrict Default / Broad Policies:** Replace default, overly permissive policies provided by vendors with custom, scoped policies that adhere strictly to the least privilege principle.
2. **Limit Resource Scope:** Where possible, constrain permissions granted to specific resources (e.g., grant access only to specific S3 buckets or DynamoDB tables required for the vendor's function, rather than all resources in an account/region).
3. **Implement Entitlements Review Process:** Establish a mandatory recurring review cycle (e.g., monthly or quarterly) for all third-party roles, focusing on analyzing their effective permissions and usage logs.
4. **Automate Effective Permission Analysis:** Deploy tools or scripts capable of analyzing the *effective* permissions of third-party roles, accounting for privilege escalation paths, conditions, and policy combinations.
### Long-term Strategy (3+ months)
1. **Establish Strong Contractual Obligations:** Update vendor contracts to mandate adherence to the principle of least privilege and require vendors to disclose the specific roles/permissions they utilize during integration.
2. **Mandate Dynamic/Ephemeral Credentials:** Transition away from static, long-lived IAM roles for vendors towards mechanisms that utilize ephemeral credentials or secure, temporary access methods where feasible.
3. **Implement Security Posture Management Strategy:** Integrate third-party identity risk assessment into your overall Cloud Security Posture Management (CSPM) or Cloud Infrastructure Entitlement Management (CIEM) strategy for continuous monitoring.
4. **Develop Vendor Offboarding Checklist:** Create and enforce a formal, automated process to immediately revoke and delete all associated IAM roles and credentials when a contract with a third-party vendor is terminated.
## Implementation Guidance
### For Small Organizations
- **Focus on Inventory and Removal:** Start by mapping the 5-10 external apps likely integrated. If you have any roles containing terms like `AdminAccess` or `ReadOnlyAccess` granted externally, use the "Immediate Actions" to scope them down or eliminate them entirely.
- **Manual Least Privilege Application:** Since automation tools may be unavailable, manually review the IAM policy JSON for any external role and remove permissions that are clearly unnecessary for the vendor's core documented task.
### For Medium Organizations
- **Implement Centralized Tracking:** Utilize native cloud identity management dashboards (e.g., AWS IAM Access Analyzer) to gain visibility into externally assumed roles and potential trust relationships.
- **Pilot Privilege Reduction Project:** Select the 2-3 highest-risk vendors and initiate a project to reduce their access from broad permissions to tightly scoped resource-based permissions.
### For Large Enterprises
- **Mandate CIEM Solution Deployment:** Deploy a specialized Cloud Infrastructure Entitlement Management (CIEM) solution capable of modeling effective permissions, detecting privilege escalations (like `iam:PassRole`), and flagging cross-cloud identity risks.
- **Establish Central Cloud Governance Team:** Task a dedicated team with overseeing all external identity onboarding, ensuring policy standardization across all cloud accounts/environments, and auditing compliance against baseline security standards.
- **Utilize Service Control Policies (SCPs):** Implement Organizational SCPs (if using AWS Organizations) to set guardrails that prevent granting overly broad permissions (like `*` for actions or resources) to organizational units housing vendor roles.
## Configuration Examples
*Note: Specific configuration examples are highly context-dependent, but the principle is clear.*
**Replace Broad Read Access:**
Instead of granting:
json
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "*"
}
Restrict to necessary buckets/objects:
json
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::vendor-specific-reports-bucket",
"arn:aws:s3:::vendor-specific-reports-bucket/*"
]
}
## Compliance Alignment
- **NIST SP 800-53 (AC-6):** Control the ability of an external entity to access information and resources based on the operational need to know.
- **ISO 27001 (A.15.1.2):** Supplier relationships establish security and availability requirements for access to systems and information.
- **CIS Benchmarks (Critical Identity Controls):** Focus on least privilege application for cross-account access and third-party roles.
## Common Pitfalls to Avoid
- **Assuming Read-Only is Safe:** Do not assume the `ReadOnlyAccess` policy is harmless; understand that it grants deep visibility into highly sensitive data stores (databases, S3, secrets).
- **Ignoring Privilege Escalation Paths:** Do not rely solely on the listed permissions; analyze the *combination* of permissions (e.g., `ec2:CreateInstance` combined with `iam:PassRole`) that could lead to full account takeover.
- **Tolerating Stale Access:** Failing to remove roles immediately upon vendor offboarding leaves permanent backdoors open to compromised vendor environments.
- **Lack of Visibility:** Trusting that platform defaults are secure; over 90% of security teams were unaware of excessive external permissions they had granted.
## Resources
- Cloud Security Posture Management (CSPM) tools for identity analysis.
- Cloud Infrastructure Entitlement Management (CIEM) solutions for effective permission modeling.
- AWS Identity and Access Management (IAM) Documentation (for detailed policy creation and resource definition).