User access provisioning is a critical process that ensures only authorized users are granted access to an organization's data and assets. It's important to have a well-defined process in place to approve, record, and communicate access changes. Neglecting proper access provisioning can lead to unauthorized access and potential security breaches.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10, released on 2023-09-26. You can download the full matrix here. The CCM provides a controls framework for cloud computing to help organizations assess cloud provider security. For more details on implementing this control in AWS, refer to the AWS Identity and Access Management documentation.
Who should care?
This control is relevant to:
- IAM administrators responsible for managing user access
- Application owners who approve access requests to their systems
- Compliance officers who audit user access controls
- Security analysts investigating access-related incidents
What is the risk?
Failing to properly provision user access can allow unauthorized users to view, modify, or delete sensitive data. This could lead to:
- Data breaches exposing customer PII
- Intellectual property theft by malicious insiders
- Fraudulent financial transactions
- Regulatory non-compliance and fines
- Reputational damage and loss of customer trust
While access provisioning alone cannot completely eliminate these risks, it is an essential preventative control.
What's the care factor?
For most organizations, implementing strong access provisioning is a high priority foundational control. The consequences of inappropriate access can be severe as noted above. Access management also tends to receive significant scrutiny during security audits and customer assessments.
However, in lower-risk situations with non-sensitive data, a more lightweight process may be acceptable to balance security and efficiency. The level of rigor should be commensurate with the value of assets being protected.
When is it relevant?
Formal access provisioning is important whenever:
- Systems contain sensitive, regulated, or business-critical data
- User roles need to be restricted based on least privilege
- Access needs to be traceable for auditing purposes
- Offboarding employees requires prompt access revocation
Access provisioning may not be as relevant for:
- Anonymous public-facing websites
- Systems with completely homogeneous user roles
- Prototypes and test environments with dummy data
What are the tradeoffs?
Robust access provisioning requires time and effort to document roles, define approval workflows, configure IAM policies, and train personnel. Overly complex processes can slow down user onboarding and hamper productivity.
Organizations need to balance control with agility. Where possible, automate access provisioning and integrate with HR systems. Regular access reviews are important but can be time-consuming. Consider role-based access to minimize entitlements to manage.
How to make it happen?
- Document user roles and permissions required for each
- Define access provisioning policies and approval workflows
- Configure IAM user groups, roles and policies to enforce least privilege
- Integrate with HR systems to automate access changes driven by job functions
- Require MFA for sensitive access approvals
- Implement periodic access reviews to validate permissions are still appropriate
- Monitor and alert on IAM permission changes
- Promptly revoke access for offboarded personnel
What are some gotchas?
- IAM policies control service actions (e.g.
s3:PutObject) but not data entitlements which require application logic - IAM administrators need
iam:*permissions which is very high privilege. Use AWS Organizations SCPs to restrict this. - Misconfigured trust policies on IAM roles can allow unintended cross-account access.
- MFA on the root user is important but doesn't protect other IAM principals.
What are the alternatives?
- Use AWS SSO with an external identity provider for access management
- Consider permission boundaries to limit the effective permissions an IAM policy can grant
- For serverless, consider attribute-based access control (ABAC) with tags instead of IAM roles
- Use AWS Organizations SCPs to restrict IAM permissions that can be granted in an account
Explore further
- IAM Best Practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
- CIS Benchmark IAM Recommendations: https://www.cisecurity.org/benchmark/amazon_web_services/
- AWS re:Inforce 2019: Best Practices for Implementing IAM Policies & Authorization Workflows: https://www.youtube.com/watch?v=J3xBTJqb8A0
