Credit to Author: Rich Beckett| Date: Tue, 05 May 2020 12:44:15 +0000
With hackers busy exploiting topical events to steal access credentials, properly maintaining the access roles and privileges for your AWS, Azure and Google Cloud Platform (GCP) accounts is an essential step in safeguarding the data and workloads you store with these cloud providers.
In this article I’ll walk through how Sophos Cloud Optix, our cloud security posture management tool, helps you secure access to your public cloud accounts.
Multi-factor authentication (MFA) adds an extra layer of protection on top of a username and password, protecting against password compromise. All user accounts should have MFA enabled. Cloud Optix ensures MFA is enabled for AWS accounts, and the Cloud Optix service itself.
Protecting cloud accounts with MFA
Identity and Access Management (IAM) is the AWS tool that controls access to services within your Amazon cloud account. You should ensure MFA is enabled for all IAM users that have AWS console access.
The Cloud Optix inventory view allows you to identify any IAM users without MFA enabled. This information is provided by an AWS Credentials report, which is updated by AWS every four hours.
To view this information in the Cloud Optix console, select ‘Inventory’ in the left-hand navigation > Select ‘IAM’ > Select ‘MFA Disabled’. Access to you AWS account is required to enable MFA for the users identified.
Protecting your Cloud Optix account with MFA
You can also use MFA to improve the security of your Cloud Optix console. This means you must use another form of authentication, as well as username and password, when you sign into Cloud Optix. Learn how to enable MFA for Cloud Optix.
Adopt the principle of Least Privileged Access
The services within your Amazon cloud account will include server instances, databases, storage – literally anything you run in Amazon. As best practice you should give users, groups and services only those privileges which are essential to perform their role. This minimizes risk and exposure.
However, keeping track of the actual use of the privileges assigned in IAM for all accounts, groups and roles can be a nearly impossible task without a lot of manual labor.
Cloud Optix IAM Visualization helps by visualizing these relationships, equipping your teams with a practical view to manage IAM and over-privileged access to cloud accounts and resources.
Avoid internet-facing resources
Accidental or malicious changes to the cloud resource configurations in AWS, Azure or GCP, such as S3 buckets, RDS, and EBS leave your organization exposed to automated hacker searches looking to exploit sensitive data.
Cloud Optix quickly identifies any publicly accessible data or website files, and provides guided or automated remediation pathways to make them private (and secure). Cloud Optix can also add an additional level of security to these critical services with Guardrails, ensuring no configuration changes are made without permission.
- Cloud Optix Community (Tap into the expertise of the Cloud Optix community)
- Cloud Optix Help Centre (Step-by-step help for Cloud Optix console features – PDF also available)
- Demo Video of Cloud Optix IAM Security Controls (Technical demo showing how Cloud Optix IAM security features help organizations secure cloud account access)
- Cloud Optix Proof of Concept guide (Suggested configuration options and testing framework for Cloud Optix)