This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Prisma Cloud CIEM Security Best Practices

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prisma Cloud CIEM Security Best Practices

RBaccus
L1 Bithead
‎01-26-2024 02:25 PM

Written by John Chavanne and Rob Baccus

 

Introduction

 

In today's cloud world there are a number of challenges in securing the resources and applications running in the cloud. One of these is the permissions that both users and objects have to sensitive information and access to others' resources. How do you, as a security professional, know when an attacker can use your own over permissive roles and accounts to access an S3 bucket containing personal customer information? Palo Alto Networks Unit 42 team has done extensive research in this area as well as helped customers who have suffered from breaches in the cloud. The Cloud Threat Report, Volume 7: Navigating the Expanding Attack Surface highlights examples where attackers exfiltrated cloud credentials, escalated privileges, and exfiltrated data from many database tables and storage buckets. In this article, we will focus on some of the most important best practices for Cloud Infrastructure Entitlement Management (CIEM) and Identity Access Management (IAM) Security for cloud applications, resources, and services.

 

What the Reader Will Learn/Gain

 

This blog will provide you with:

 

  • An overview of how to create a clear cloud IAM strategy
  • A list of key cloud IAM best practices
  • How Prisma Cloud implements these best practices

 

Why is Cloud IAM Strategy Important?

 

Managing cloud IAM is complex and challenging for any organization. Having a very clear cloud IAM strategy that can be communicated across the organization can go a long way to establishing proper rules and guardrails for how all identities will be managed in the cloud.

 

It is important to work with various teams in your organization to establish Cloud Infrastructure Entitlement Management (CIEM) and Identity Access Management (IAM) Security best practices and strategies for future changes.  Your cloud IAM best practices will need to align with your cloud IAM Strategy such that both security and development teams agree on the best way to secure roles, permissions, and resource access across cloud environments.

 

The risks that your company will incur if you don't adequately tackle cloud CIEM and IAM Security could be significant, from fines and/or jail time from the SEC (given the new reporting requirements), to brand damage and loss of significant customer trust, to loss of revenue.

 

An example of neglecting the implementation of an IAM strategy and best practices may lead to the existence of overly permissive roles in source code repositories, such as public GitHub, allowing attackers to discover and exploit credentials for purposes like introducing malware or engaging in nefarious activities within your cloud environments. Catching these risky permissions and roles earlier in the application lifecycle can prevent alerts to the security teams downstream.

 

Another example of a strong business objective addressed by a cloud IAM Best Practice is the incorporation of Multi-Factor Authentication (MFA) for IAM users. This strategic measure serves as a robust defense, preventing unauthorized access to user accounts and the potential compromise of critical data and infrastructure. Neglecting these best practices could lead to substantial consequences, including downtime for mission critical applications, as illustrated and witnessed during the breaches at MGM and Caesars in late 2023.


Diagram 1 is an example approach to help your teams simplify and visualize a cloud IAM strategy based on your company's unique risks. This approach demonstrates how you can simplify a complex and difficult subject by creating a clear visual representation of the potential risks based on specific business needs and easily share it with other teams.

 

Diagram 1: Define IAM Strategy based on RiskRBaccus_0-1706125130540.jpeg

In Table 1: Cloud IAM Best Practices, we have provided some key best practices and how to implement them with Prisma Cloud to help define your own team's cloud IAM Strategy.In Table 1: Cloud IAM Best Practices, we have provided some key best practices and how to implement them with Prisma Cloud to help define your own team's cloud IAM Strategy.

 

Table 1: Cloud IAM Best Practices:

NOTE: Examples in italics are Prisma Cloud RQL examples.

 

Best Practice Category

Best Practices

Prisma Cloud Specific Implementation of Best Practices

Reference/Examples

IAM Controls

Enforce MFA for cloud identities

OOB config MFA policies
  • AWS MFA not enabled for IAM users
  • Azure AD MFA is not enabled for the user

IAM Controls

Enforce password policies for cloud users

OOB config Password policies
  • AWS IAM password policy does not expire in 90 days

IAM Controls

Ensure all Users belong to Groups and mitigate use of any directly attached roles or policies.

Run query in Investigate for all clouds or a specific cloud for granted by entity type of user.
  • config from iam where grantedby.cloud.entity.type = 'user'

IAM Scope Visibility

Central IdP Visibility across multi-cloud environments

Support of direct IdP integration

Inactive Access

Identify inactive cloud users.

OOB config policies & Custom policies.
  • AWS Inactive users for more than 30 days

Inactive Access

Identify inactive access keys/long-standing credentials.

OOB config policies & Custom policies.
  • AWS access keys not used for more than 45 days
  • config from cloud.resource where cloud.type = 'gcp' AND api.name = 'gcloud-iam-service-accounts-keys-list' AND json.rule = 'name contains iam.gserviceaccount.com and (_DateTime.ageInDays($.validAfterTime) > 90) and keyType equals USER_MANAGED' addcolumn validAfterTime

Inactive Access

Identify unused machine accounts (i.e. service accounts, managed identities).

Custom config policies
  • config from cloud.resource where api.name = 'gcloud-recommender-iam-service-account-insight' AND json.rule = '_DateTime.ageInDays(content.lastAuthenticatedTime) > 90'

Risk Prioritization

Mitigate high priority attack path risks with comprehensive context

OOB & custom attack path policies
  • Attack Path Policies
  • Data exfiltration or destruction risk due to a publicly exposed and vulnerable Azure Virtual Machine with hazardous Storage account permissions
  • Unauthorized access or account actions risk due to a publicly exposed and vulnerable AWS EC2 instance with sensitive IAM 'write' permissions

Permissions Risk

Mitigate usage of highly privileged CSP Managed/Built-in roles.

OOB high privilege role policies.
  • GCP service accounts with 'Editor' role on org level
  • Azure AD user with the Azure built-in roles of Contributor

Permissions Risk

Mitigate unnecessary usage of high risk permissions/privileges for both human and machine identities.

OOB risky permission policies.
  • Okta user with effective permissions to create AWS IAM users
  • AWS Lambda Function with data destruction permissions

Permissions Risk

Mitigate toxic combination of privilege escalation permissions for both human and machine identities.

OOB & custom privilege escalation permission policies.
  • AWS role having iam:PassRole and lambda:InvokeFunction permissions attached to EC2 instance

Least Privilege

Mitigate unused permissions/privileges and create least-privilege access policies & roles for both human and machine identities.

OOB unused permission policies for each CSP for 90 and 7 days and automated generation of least privilege access policies & roles.
  • Cloud Identity Inventory
  • AWS IAM effective permissions are over-privileged (90 days)
  • Azure IAM effective permissions are over-privileged (90 days)

Least Privilege

Mitigate wildcard/broad resource access for both human and machine identities.

OOB wildcard access policies.
  • Okta User with IAM wildcard resource access
  • AWS EC2 with IAM wildcard resource access
  • Azure Service Principals with broad Key Vault management access

Least Privilege

Manage resource access to lower level scopes and avoid role assignments at broad levels (i.e. Orgs, subscriptions, folders, etc.)

OOB permissions & Custom policies.
  • config from iam where grantedby.cloud.type = 'AZURE' and grantedby.level.type IN ( 'Azure Management Group', 'Azure Subscription' )
  • config from iam where grantedby.cloud.type = 'GCP' and grantedby.level.type IN ( 'GCP Organization', 'GCP Folder' )

Cross Account Access

Mitigate and control cross-account access for both human and machine identities.

OOB permissions & Custom policies to discover and mitigate identities that have access to accounts/subscriptions/projects/organizations that do not belong to those same entities.
  • Azure Managed Identity with permissions to other subscriptions
  • config from iam where source.cloud.account != 'MyAccount' AND dest.cloud.account = 'MyAccount'
  • config from iam where source.cloud.accountgroup != 'MyOrg' AND dest.cloud.accountgroup = 'MyOrg'

Cross Account Access

Mitigate and control access with organizational conditions

Custom permission policies
  • config from iam where grantedby.cloud.policy.condition ('aws:PrincipalOrgID') does not exist
  • config from iam where grantedby.cloud.policy.condition ('aws:PrincipalOrgID') not-in ('my-ord-id')

Tagging

Manage and enforce IAM access by tags.

Custom config & permission policies
  • config from cloud.resource where api.name = 'aws-iam-list-roles' AND json.rule = role.tags[*] exists
  • config from iam where grantedby.cloud.entity.type = 'role' and grantedby.cloud.entity.tag ( 'env') = 'prod'

Identity Anomalies

Detect & mitigate identity based anomalies

OOB Anomaly policies
  • Account hijacking attempts
  • Azure Compute workload deleting network security groups
  • Unusual usage of Workload Credentials from outside the Cloud

Compliance

Ensure cloud IAM access and configuration meets compliance standards

Robust OOB compliance standards with identity controls

Reporting

Provides IAM compliance reports for auditing

OOB compliance reporting

Reporting

Provides reports on top identity risks

Autogenerate reports from the Command Center

 

Summary

 

Managing identities has always been a challenge for companies, and it becomes even more complex in the cloud. Taking proactive steps, like creating and implementing a cloud IAM strategy, helps define controls and guidelines for the organization as it transitions to the cloud. Adopting cloud IAM best practices further reduces risk. Utilizing a powerful tool like Prisma Cloud enables successful implementation and maintenance of the strategy and best practices.

 

This blog post was intended to help get you started on improving your security posture when it comes to managing your cloud identities. Your cloud identity security journey should not end here though. Identities and their credentials are used throughout cloud environments, to access sensitive data, run CI/CD pipelines, automation activities, and can be found embedded in code, VMs, containers, code repositories. Prisma Cloud has the most robust and comprehensive approach when it comes to protecting your applications, data, and identities. Attackers continue to become more sophisticated and use automation and AI to launch their attacks at faster and faster speeds. Taking an in-depth approach such as described in the blog: Mitigate Cloud Breaches With a Holistic Approach to Cloud Identity and Access will help you continue to learn more about how you can further protect your company from a breach.

 

  • 1717 Views
  • 0 comments
  • 4 Likes
Register or Sign-in
Labels
Popular Blogs
Top Liked Authors
View All
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks