IAM technologies change the cloud security game

momius - Fotolia

Are AWS IAM tools enough for public cloud security?

Our enterprise wants to limit the time it spends generating Identity and Access Management policies. What tools are available to automate this task?

Documenting resource use within a public cloud is pivotal for meeting governance and regulatory compliance. Logging...

within AWS enables administrators to record and search details of end-user actions and affected resources.

Various AWS tools provide security logging capabilities, including Amazon CloudFront, Amazon CloudWatch, AWS Config and Amazon Simple Storage Service logs requests to storage buckets. But many developers prefer to use AWS CloudTrail to log AWS Identity and Access Management (IAM) activity. Other AWS IAM tools can generate access policies, but they have limitations.

AWS CloudTrail logs all API requests made to IAM and AWS Security Token Service, which includes some non-authenticated requests from web-based identity providers. This enables requests to be mapped back to federated end users. CloudTrail also logs API requests to other native services -- recording details about the end user or AWS tool that generated the request. Admins can quickly determine whether a request was made using IAM credentials, temporary credentials for federated users or roles or by another service. Additionally, CloudTrail logs sign-in events -- both successful and failed attempts -- to services like the AWS Management Console, AWS Marketplace and forums.

Third-party tools can help with automation, streamlining and common management tasks. Chalice, for example, is an open source, Python-based, serverless, microframework for AWS that helps businesses create and deploy serverless applications based on Amazon API Gateway and AWS Lambda. A microframework is a highly extensible collection of software components that admins can easily modify. Chalice has a command-line interface that developers can use to create, view, deploy and manage applications in AWS.

Chalice also automates the creation of IAM policies, allowing an application to easily access AWS tools. However, Chalice requires a high level of cloud application design expertise. In practice, developers automatically generate IAM policies when deploying a package using the chalice deploy command, which sends the deployment package to the serverless cloud environment. This helps ensure proper access policy management, while minimizing the time and effort needed to set policies, and frees up developers to focus on other tasks.

The trouble with third-party IAM tools

Third-party tools such as Skeddly are designed to schedule automation for the cloud. These tools also generate IAM policy documents for AWS permissions, allowing the tool to interact with AWS resources within an account.

These AWS IAM tools are only examples; while they help enterprises achieve complex cloud goals, they have limitations when compared to native services. Primarily, third-party tooling often lacks flexibility. Policies are dynamic entities that can be a challenge to create, test and maintain. Working directly with a cloud provider's native IAM services is often more convenient and predictable; they offer testing with fewer unintended consequences than engaging with third-party AWS IAM tools to automatically create policies.

In addition, third-party IAM tools must adapt with the evolution of public cloud services. For example, each time AWS updates an IAM API, a third-party vendor must also update its tool accordingly. Therefore, third-party tools can lag behind IAM development, adding a layer of uncertainty for enterprise IT teams.

Next Steps

Manage cloud access with IAM permissions

Know these AWS security best practices

Should we use IAM roles or users to protect AWS access?

Dig Deeper on AWS security