Implementing a Zero Trust model is crucial to preventing privileged access attacks. Zero Trust is a security framework that eliminates implicit trust, requiring users to be continuously validated as they request and gain access to network resources. As businesses shift to a hybrid or cloud infrastructure, hardening the network perimeter using firewalls and other network tools is no longer an effective strategy. In this article, we explore best practices for building a Zero Trust framework in AWS, Zero Trust principles already embedded into the platform, and how ephemeral just-in-time (JIT) access can help businesses minimize the risk of standing privileges in AWS and other cloud platforms.
Best Practices for Zero Trust in AWS
Creating and maintaining a Zero Trust security model requires implementing best practices not only on AWS, but across an organization’s entire cloud architecture. These three principles provide a starting point for building Zero Trust on AWS and beyond.
Use identity and network controls in tandem
AWS provides a full suite of identity and network controls. Identity-based controls equip IT admins with robust access control capabilities. Network controls are useful for clearly defining the perimeters wherein the corresponding identity controls can be implemented. By strategically configuring these two types of controls, IT admins can use them together to create a more secure environment with closer alignment to Zero Trust.
Reverse-engineer Zero Trust for each specific use case
Zero Trust is an overarching framework that guides strategic decision-making, helping IT admins make better choices about how they secure their network. From securing the remote connections that support a mobile workforce to maintaining the security and visibility of internet-of-things (IoT) devices, each situation is unique. That’s why it is important to begin with a specific use case in mind before working to determine which Zero Trust strategies and tools would be most effective.
Prioritize your high-value systems and data
Achieving Zero Trust using the controls and security settings native to AWS can be a complex and time-consuming process. So prioritizing is important. Begin by identifying the most important systems, applications, and data and secure them first, working backward to address less urgent ones.
Zero Trust Principles Embedded in AWS
AWS has integrated several Zero Trust principles into its platform architecture, giving customers a good foundation to build upon.
Service-to-service interactions in AWS
Even with API service calls totaling in the billions per day, AWS authenticates and authorizes each one individually. Built-in security measures include network-level encryption via Transportation Layer Security (TLS) and a secure signing process that requires every request to be signed using an access key consisting of an access key ID and secret access key. These safeguards are designed to prevent attacks that involve smuggling or injecting requests into connections and enable advanced isolation techniques.
Signing AWS API requests
Robust identity-based controls are foundational to how individual AWS services interact with each other. Calls from one AWS service to another are protected using the same security safeguards that customers use, with each authenticated and authorized by the AWS Identity and Access Management (IAM) web service.
Zero Trust for IoT
AWS IoT applies the essentials of Zero Trust to its IoT services. AWS sends all device-to-device and device-to-AWS IoT over TLS using advanced device authentication technology. It also provides TLS support to FreeRTOS, an open-source operating system for microcontrollers, expanding the core elements of Zero Trust to an entire class of microcontrollers and embedded systems.
Strengthening AWS Security with JIT Access
Although AWS has woven Zero Trust principles into its platform, fully implementing this framework requires additional tools. One technique for hardening the security of cloud infrastructure is JIT access. Using a privileged access management (PAM) platform, businesses can implement JIT access not just in AWS, but across their entire cloud architecture.
What is JIT?
Standing privileges pose a significant security risk. Users with always-on access provide hackers and malicious insiders with more opportunities to put compromised credentials to use. These credentials are available for use 24 hours a day, even when users don’t require access. JIT solves this problem, reducing the vulnerabilities that standing privileges present. It places strict limits on when resources can be accessed, how long access will be granted, and what actions can be taken on them.
Benefits of JIT for AWS
JIT access is a foundational security practice. Here are four reasons why it’s so important for achieving Zero Trust in AWS.
Consistent enforcement of Least Privilege Access (LPA)
JIT access enforces the principle of least privilege, restricting user access to just the resources required to complete a task. Using a PAM platform, admins have fine-grained control over the level of user privilege during the active session. Rather than providing elevated privileges across the entire user session, privileges can be extended only when needed to complete specific tasks.
Strengthens security with minimal impact on users
JIT access allows users to work more efficiently, automatically granting users access to resources according to pre-determined policies for the minimum amount of time required to complete the tasks. When work is complete, permissions automatically expire and credentials are rotated. Synthetic users such as scripts and APIs gain access to required resources in a similar way.
Supports a Zero Trust posture
One component of Zero Trust is that users are continuously validated as they request and access resources. JIT access supports this, requiring users to reauthenticate if additional time is required to complete a task.
Allows users to stay productive without creating unnecessary risk
Strong security and efficiency don’t need to be mutually exclusive. Using a PAM solution designed for multi-cloud environments, organizations can seamlessly implement JIT and other modern resource security measures without impacting productivity. When resource access is needed, users can be authenticated quickly, gaining the authorization to securely access the resources required for their work.
Moving Towards Zero Trust on AWS With JIT Access
Achieving Zero Trust in AWS significantly reduces an organization’s exposure to data breaches and other cloud security incidents. Although AWS has elements of the Zero Trust security framework built into its system, a PAM platform is a more comprehensive solution for enforcing JIT access and other security controls that support Zero Trust principles.
Read our Guide to Extending Zero Trust to Your Cloud Identity Lifecycle to learn how to protect your customers, employees, IT resources, and data through a comprehensive Zero Trust stance.
