User access reviews are a critical part of maintaining a secure cloud environment. They involve regularly reviewing and validating that users only have the access they need to perform their job duties, following the principle of least privilege. Access reviews also ensure that no user has conflicting access that could lead to segregation of duties violations.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. You can download the full matrix here. The CCM provides a comprehensive set of cloud security controls mapped to various industry standards. For more background, check out the CSA CCM FAQ.
Who should care?
- Cloud security engineers responsible for defining IAM policies and permissions
- IT managers overseeing cloud environments and user access
- Auditors assessing the organization's cloud security posture
- Developers building cloud applications and infrastructure
What is the risk?
Excessive, inappropriate, or stale user permissions increase the risk of:
- Data breaches from compromised user accounts
- Insider threats and data exfiltration
- Unauthorized changes to systems and resources
- Non-compliance with regulations and standards
Regular access reviews help detect and remove unneeded permissions to mitigate these risks. The more frequently reviews are performed, the lower the risk exposure.
What's the care factor?
For most organizations, user access reviews should be a high priority. Inappropriate access is a common factor in major security incidents. Auditors and regulators are increasingly scrutinizing IAM practices.
However, very small or low-risk environments may be able to justify less frequent reviews. Ultimately, the care factor depends on the organization's risk tolerance, compliance obligations, and security maturity.
When is it relevant?
User access reviews are most relevant for:
- Cloud environments with many users and complex permission sets
- Organizations subject to strict compliance requirements (e.g. HIPAA, PCI-DSS, GDPR)
- Companies with high employee turnover
- Businesses operating in high-risk industries
They may be less critical for small teams with minimal cloud usage and low turnover. However, every organization using the cloud should implement some form of periodic access review.
What are the trade-offs?
Conducting thorough user access reviews requires time and effort. Managers have to comb through permissions and justify access. Frequent reviews increase this overhead.
Revoking unneeded permissions can also impact productivity if done hastily. Users may be unable to perform certain tasks until permissions are re-requested and re-approved.
Organizations have to strike a balance between security and efficiency when determining review frequency and depth. Automating aspects of reviews can help.
How to make it happen?
- Define a user access review policy specifying:
- Review frequency based on risk (e.g. quarterly for high-risk, annually for low-risk)
- Roles and responsibilities (managers review their direct reports, security team spot checks)
- Criteria for revoking access (e.g. stale, excessive, violates least privilege)
- Use cloud tools like AWS IAM Access Analyzer to identify unused or over-privileged permissions
- Create an IAM user report showing permissions for each user
- Have managers review permissions for their direct reports and attest whether access is still needed
- Remove any permissions deemed unnecessary
- Document all access changes and review results for auditors
- Update IAM policies and permission sets to align with the new baseline
- Schedule the next review cycle
- Continuously monitor for any suspicious permission changes in between review cycles
What are some gotchas?
- Access reviews require IAM permissions to generate user access reports (e.g. iam:GenerateCredentialReport)
- Removing permissions for federated users requires updating their SAML attributes in the identity provider
- Renaming or deleting IAM users breaks the audit trail - disable instead
- Permissions granted through group membership are easy to overlook
- Beware of IdP groups granting federated access outside IAM
- Service-linked roles and permissions boundary policies limit the ability to modify permissions
What are the alternatives?
Some cloud providers offer AI-powered tools to streamline access reviews:
Vendors like SailPoint and CyberArk also provide identity governance solutions to automate access reviews across multi-cloud environments.
Ultimately though, there is no substitute for manual attestation by managers and asset owners to verify permissions are appropriate.
Explore further
- IAM-09: Segregation of Duties
- CIS Benchmark iam-2: Ensure multi-factor authentication (MFA) is enabled for all IAM users that have a console password
- AWS IAM Best Practices
