Analyze public and cross-account access

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Effectively managing permissions is crucial for safeguarding AWS workloads. Regularly analyzing public and cross-account access ensures that permissions are aligned with the principle of least privilege, helping to mitigate security risks associated with excessive access rights.

Best Practices

Regularly Audit IAM Policies and Permissions

Conduct regular audits of AWS Identity and Access Management (IAM) policies to ensure that only required permissions are granted. This helps minimize the risk of excessive permissions and potential security breaches.
Use IAM Access Analyzer to identify and analyze public and cross-account access points within your AWS accounts, making it easier to spot unintended access.
Implement least privilege access by reviewing and updating IAM policies to remove unnecessary permissions.
Track changes and access granted over time to enhance visibility and accountability in permission management.

Employ Resource-Based Policies for Granular Control

Utilize resource-based policies (e.g., S3 bucket policies, SNS topic policies) to control access at the resource level. This allows you to provide access only to specific resources that require exposure to public or cross-account access.
Set conditions in your policies to restrict access based on factors such as source IP, time of day, or request origin.
Regularly evaluate and adjust these policies to ensure they align with evolving security needs and workloads.

Monitor Public and Cross-Account Access Continuously

Implement AWS CloudTrail to log and monitor API calls across your AWS environment. This ensures that you have visibility into who’s accessing resources and the actions they’re taking.
Set up Amazon CloudWatch alarms to alert your team of any unauthorized access attempts or changes in resource access configurations.
Utilize AWS Config to enable resource monitoring and evaluation against defined best practices, aiding in the early detection of misconfigurations or policy violations.

Educate and Train Your Team on Security Best Practices

Provide training sessions on IAM best practices and the importance of managing permissions to avoid security incidents.
Create documentation and guidelines for developers and administrators on how to correctly request, grant, and analyze permissions.
Establish a culture of security awareness, helping employees understand their role in protecting access to AWS resources.

Questions to ask your team

What mechanisms are in place to regularly review and adjust public and cross-account access permissions?
How do you identify resources that have excessive public access?
What processes do you follow to ensure that cross-account access is limited to only necessary accounts?
How often do you conduct audits of permissions for people and machines?
What tools do you use to automatically monitor and alert for changes in public and cross-account permissions?
Can you provide examples of how you have minimized public and cross-account access in the past?
How do you ensure compliance with your organization’s security policies regarding access management?

Who should be doing this?

Cloud Security Architect

Design and implement secure access controls for AWS resources.
Define and enforce policies for public and cross-account access.
Regularly review public and cross-account access permissions.
Collaborate with development teams to ensure secure coding practices are followed.

AWS Administrator

Manage and configure IAM policies and roles.
Perform regular audits of permissions for users and machines.
Monitor for unauthorized access or changes to permissions.
Implement changes to reduce public and cross-account access where necessary.

Compliance Officer

Ensure that access management complies with organizational and regulatory standards.
Conduct audits and produce reports on access permissions.
Review findings from security assessments related to permissions.

DevOps Engineer

Implement CI/CD practices that respect permissions and access controls.
Set up monitoring and alerts for public and cross-account access configurations.
Work with the security team to develop automated tools for reducing undesired access.

What evidence shows this is happening in your organization?

Public Access Review Checklist: A checklist that outlines steps for reviewing and assessing public access settings across AWS services. It includes guidelines for identifying unnecessary public access and how to remediate those findings.
Cross-Account Access Policy Template: A template for creating policies that restrict cross-account access. This template helps define the necessary permissions while limiting access to only the required AWS resources for external accounts.
Access Monitoring Dashboard: A real-time monitoring dashboard configured in AWS CloudWatch that tracks public and cross-account access findings. It visualizes access patterns and highlights anomalies for quick remediation.
Access Control Strategy Document: A comprehensive document outlining the organization’s strategy for managing permissions for users and machines. It includes best practices for minimizing public and cross-account access.
Security Incident Response Playbook: A playbook detailing the steps to take when a security incident is detected related to unauthorized public or cross-account access. It outlines roles, responsibilities, and communication procedures.

Cloud Services

AWS

AWS Identity and Access Management (IAM): IAM allows you to manage access to AWS services and resources securely. Create roles and policies to enforce the principle of least privilege and monitor permissions.
AWS CloudTrail: CloudTrail provides visibility into user activity and API usage across your AWS account, which is critical for identifying unauthorized access and cross-account access.
Amazon GuardDuty: GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to help protect your AWS accounts and workloads.
AWS Config: AWS Config provides a detailed view of the configuration of AWS resources in your account, including access policies, helping you track changes in permissions.

Azure

Azure Active Directory (AAD): AAD helps manage user identities and permissions, enabling secure access to Azure services, application resources, and ensuring compliance.
Azure Monitor: Azure Monitor offers a range of monitoring tools that help track access and activity, making it easier to identify unusual patterns in cross-account access.

Google Cloud Platform

Google Cloud Identity: Cloud Identity helps manage user identities and policies, enabling effective control over who has access to your GCP resources.
Cloud Security Command Center: This service provides security visibility and helps you prevent, detect, and respond to threats across your Google Cloud services, including monitoring access and permissions.

Question: How do you manage permissions for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals