We can't find the internet
Attempting to reconnect
Something went wrong!
Hang in there while we get back on track
Identifying and Reducing Permission Explosion in AWS: A Graph-Based and Analytical Approach
Here is the meta description: Learn how to identify and reduce permission explosion in AWS using a graph-based and analytical approach, increasing security and reducing unauthorized access.
-
Permission explosion is a common issue in AWS, making it difficult to manage and secure resources.
- Reason 1: Temporary access, where people request access to specific tasks or investigate.
- Reason 2: Broad access roles, where people acquire too many permissions for their day-to-day job.
- Reason 3: Permission creep, where permissions are never taken away, leading to unauthorized access.
-
To identify and reduce permission explosion, use the following strategies:
- Calculate Permission Utilization Ratio (PUR) for each role and permission.
- Remove unused permissions from roles.
- Automate policy generation and attachment to roles.
- Break roles into smaller teams or roles to reduce permissions.
- Use graphing libraries like Sigma JS to visualize data and identify permission explosion.
-
The speaker’s company, Motive, was able to reduce permissions by 63% using these strategies.
- The number of permissions per user decreased from 75 to 32.
- The number of unused permissions decreased from 426 to 286.
- The PUR for each permission is calculated using the frequency of use and the number of users who use that permission.
-
The speaker’s recommendations for implementing these strategies include:
- Using AWS APIs to get data and push it into a database.
- Creating automation scripts to generate IAM policies.
- Using graphing libraries to visualize data.
- Breaking roles into smaller teams or roles to reduce permissions.
- The speaker also recommends calculating the Permission Utilization Ratio using the frequency of use and the number of users.
- The speaker emphasizes the importance of reducing permissions to prevent permission explosion, as it can lead to unauthorized access and security risks.