Share resources securely with a third party

PostedNovember 27, 2024

UpdatedMarch 21, 2025

ByKevin McCaffrey

Managing permissions effectively is essential to safeguard your cloud environment, particularly when external entities require access. This ensures that only authorized users and systems can interact with your data and applications, minimizing the risk of unauthorized access and potential data breaches.

Best Practices

Implement Just-in-Time Access for Third Parties

Utilize AWS IAM roles to grant temporary access permissions to third parties, ensuring that access is only granted when needed and for a defined duration.
Regularly review and adjust the permissions assigned to third parties based on their current needs, following the principle of least privilege.
Set up automated notifications or alerts for key actions taken by third parties, allowing you to monitor access and take action if necessary.
Use services like AWS STS (Security Token Service) to create temporary security credentials that limit access to specific services and actions.
Establish mutual agreements that outline the scope of access and expected security practices by third parties to ensure compliance and accountability.

Leverage Resource-Based Policies

Apply resource-based policies, such as bucket policies for S3, to explicitly define who can access specific resources and under what conditions.
Ensure that policies are written to allow only access that is required for third-party operations, minimizing potential exposure.
Regularly audit resource policies to ensure they align with the principle of least privilege, removing any unnecessary permissions.

Auditing and Monitoring Access

Implement AWS CloudTrail and AWS Config to log and review access activity for third-party resources, providing accountability and traceability.
Establish regular audits of IAM roles, policies, and permissions for third parties to identify and mitigate potential risks swiftly.
Set up CloudWatch alarms that notify you of suspicious access patterns or changes in permissions that deviate from established guidelines.

Educate and Train Third Parties

Provide third parties with training on your security policies and the importance of following best practices when accessing your AWS resources.
Ensure that third parties are aware of and adhere to security requirements, including the handling of temporary credentials and data protection measures.
Conduct periodic security assessments involving third parties to reinforce security protocols and identify areas for improvement.

Questions to ask your team

How do you ensure that third-party entities only receive the permissions necessary for their access?
What processes are in place to manage the lifecycle of temporary credentials for third-party access?
How do you audit and review permissions granted to third parties to ensure compliance with your security policies?
What mechanisms do you use to monitor and log access from third-party systems?
How do you evaluate and approve third-party access requests to ensure they adhere to the principle of least privilege?
What tools or services do you use to enforce just-in-time access for temporary permissions?
How do you manage the revocation of access once the third-party’s requirements are fulfilled?

Who should be doing this?

Cloud Security Architect

Design and implement a secure permission management framework for both internal and third-party access.
Establish policies and procedures for just-in-time access and least privilege access.
Conduct risk assessments related to third-party access and identify potential vulnerabilities.
Collaborate with other teams to ensure secure integration of external systems.

IAM Administrator

Manage and configure AWS Identity and Access Management (IAM) policies and roles for users and machines.
Monitor and audit permissions regularly to ensure compliance with the principle of least privilege.
Provision temporary credentials for third-party access as necessary.
Assist in the implementation of multi-factor authentication (MFA) for enhanced security.

Compliance Officer

Ensure that access management practices comply with relevant regulatory requirements and industry standards.
Review access logs and conduct audits to verify adherence to security policies.
Engage with third-party vendors to evaluate their security practices and compliance posture.
Provide training and awareness programs for staff regarding securely managing permissions.

DevOps Engineer

Integrate security best practices into the CI/CD pipeline to manage permissions effectively.
Collaborate with developers to implement secure coding practices that align with permission management.
Automate the provisioning and deprovisioning of access for third-party systems as needed.
Monitor application access patterns to identify and mitigate potential risks.

What evidence shows this is happening in your organization?

Third-Party Access Policy Template: A template outlining the permissions and access levels for third-party systems. It includes guidelines for just-in-time access and adherence to the principle of least privilege.
Permission Management Checklist: A checklist to ensure all permissions granted to third parties are reviewed regularly, limited to the minimal required scope, and provided as temporary credentials.
Access Management Dashboard: A dashboard displaying real-time analytics on permissions granted to third parties, including usage patterns and any anomalies detected that might indicate over-provisioning.
Just-in-Time Access Strategy Guide: A guide detailing the approach for implementing just-in-time access for third parties, including processes for requesting and revoking access swiftly.
Temporary Credentials Playbook: A playbook providing step-by-step instructions on how to issue and manage temporary credentials for third-party access, ensuring compliance with security policies.
Least Privilege Access Model: A model diagram illustrating the structure of least privilege access for third-party accounts, showcasing how permissions are granted based on specific roles and needs.

Cloud Services

AWS

AWS Identity and Access Management (IAM): IAM allows you to create and manage AWS users and groups, and use permissions to allow or deny their access to AWS resources. It supports the principle of least privilege.
AWS Security Token Service (STS): STS provides temporary, limited-privilege credentials for AWS IAM users or applications, enabling just-in-time access.
AWS Resource Access Manager (RAM): AWS RAM enables you to share your resources securely across AWS accounts, helping manage permissions for third-party access.

Azure

Azure Active Directory (Azure AD): Azure AD provides identity management and access control frameworks to secure resources sharing with third parties through role-based access control.
Azure Role-Based Access Control (RBAC): Azure RBAC helps manage permissions through the principle of least privilege by assigning roles to users and applications that define their access rights.

Google Cloud Platform

Google Cloud Identity and Access Management (IAM): GCP IAM lets you manage access control by defining who (identity) has what access (roles) to which resources, enforcing the principle of least privilege.
Google Cloud Access Context Manager: This service allows you to define and enforce access levels for your resources based on the context of a user’s request, supporting secure resource sharing.

Question: How do you manage permissions for people and machines?
Pillar: Security (Code: SEC)

Operational Excellence

Determine what your priorities are

Structure your organization to support your business outcomes

Organizational culture to support your business outcomes

Implement observability in your workload

Reduce defects, ease remediation, and improve flow into production

Mitigate deployment risks

Be ready to support a workload

Uilize workload observability

Understand the health of your operations

Manage workload and operations events

Evolve your operations

Security

Securely operate your workload

Manage identities for people and machines

Manage permissions for people and machines

Detect and investigate security events

Protect your network resources

Protect your compute resources

Classify your data

Protect your data at rest

Protect your data in transit

Anticipate, respond to, and recover from incidents

Incorporate and validate the security properties of applications throughout the design, development, and deployment lifecycle

Reliability

Manage service quotas and constraints

Plan your network topology

Design your workload service architecture

Design interactions in a distributed system to prevent failures

Design interactions in a distributed system to mitigate or withstand failures

Monitor workload resources

Design your workload to adapt to changes in demand

Implement change

Back up data

Fault isolation to protect your workload

Design your workload to withstand component failures

Test reliability

Plan for disaster recovery (DR)

Cost Optimization

Implement cloud financial management

Govern usage

Monitor your cost and usage

Decommission resources

Evaluate cost when you select services

Meet cost targets when you select resource type, size and number

Use pricing models to reduce cost

Plan for data transfer charges

Manage demand, and supply resources

Evaluate new services

Evaluate the cost of effort

Performance

Select the appropriate cloud resources and architecture patterns for your workload

Select and use compute resources in your workload

Store, manage, and access data in your workload

Select and configure networking resources in your workload

Support more performance efficiency for your workload

Sustainability

Select Regions for your workload

Align cloud resources to your demand

Take advantage of software and architecture patterns to support your sustainability goals

Take advantage of data management policies and patterns to support your sustainability goals

Select and use cloud hardware and services in your architecture to support your sustainability goals

Implement organizational processes support your sustainability goals