IAM is hard. And we need to understand why IAM is hard and what to do about it.
To uncover why IAM is hard, k9 Security interviewed +50 Cloud practitioners privately about their challenges and solutions configuring IAM safely. Engineers have also described the problems and solutions publicly. Engineers discussing  what led to an an ‘AWS IAM misconfiguration’ and $80M cloud data breach fine is one of the best public examples.
We reviewed those discussions and summarized the lessons below. These lessons are especially useful to organizations in the first few years of their AWS cloud adoption.
First, IAM is genuinely difficult to learn and secure app configs demand deep expertise:
- IAM is incredibly powerful and flexible, but hard to learn. The easiest paths grant excess permissions.
- IAM is hard, especially implementing least privilege for app (machine) roles. It’s difficult to determine what access apps actually have or need, particularly for migrated/brownfield apps whose permissions were not built incrementally.
- When app roles aren’t tight, a single compromise exposes everything.
- Building good policies from scratch requires deep expertise in IAM and the app
- Having someone outside of the dev team app/machine policies by hand after the fact is even harder.
- Engineers often end up spending political capital to do the right thing because of lack of support.
Second, scaling any expertise is hard:
- Once your cloud account architecture grows beyond 10 accounts (it should!), it’s beyond the capacity of any one person to manage or fix.
- With growth, the backlog of policies also grows beyond one person’s ability to manage
- If you try to automate your way out of the problem without management support, funding, and staffing it will fail
- Creating an IAM policy writing team will probably fail too as it can be boring (except for deadlines!) and introduces a coordination problem that hinders delivery
If you want to dive deep into these problems, read why AWS IAM is so difficult to use (Effective IAM for AWS).
To secure your AWS accounts, you must adopt multiple solutions:
- Integrate security policy development and delivery into the application’s existing delivery process. Don’t manage security policies out-of-band and force coordination through tickets & email.
- Make writing good security policies easy for app engineers with usability-focused libraries/tools so they can express their intent accurately. Let the library implement details of best practice.
- Detect bad policies and excess permissions automatically. Engineers can’t do this manually beyond toy deployments.
- Implement SCP guardrails to prevent accidents and the worst of attacks, particularly data destruction.
- Auto-remediate excessive privileges.
- Solve problems related to people and processes. Start by designing how security integrates into the continuous app delivery process.
You don’t have to learn these lessons the hard way.
First, read the threads if you’re responsible for Cloud security. They describe the security pain your organization is in right now whether you’re using AWS, Azure, or GCP. They also describe solutions that are actually working for people in the real world.
Second, check out Effective IAM for AWS for a comprehensive, free guide to integrating security into your AWS cloud application delivery process.
Third, operationalize Cloud access review and improvement with direct support for continuous delivery. Consider k9 Security which helps you:
- Understand the access apps & people actually have with usable AWS account audits
- Deploy secure IAM policies with infrastructure code pipelines using Terraform & CDK
- Scale access review and improvement without overloading experts using the katas
We’d love to discuss AWS security with you and are happy to answer any questions!
Go Fast, Safely
 Hacker News: IAM is hard – Thoughts on $80M fine from the Capital One Breach sparked by Cloud Security expert Kinnaird McQuade