Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
AI Safety Initiative
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Trusted Cloud Consultant
Other Opportunities
Event Sponsorships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Home
STAR Registry
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Certificates & Training
Online Platform
Knowledge Center
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Zero Trust Training (ZTT)
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Strategic Initiatives
AI Safety Initiative
Zero Trust Advancement Center
CxO Trust
Trusted Cloud Consultant
FinCloud Security
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Safety Initiative
AI Technology and Risk
AI Governance & Compliance
AI Controls
AI Organizational Responsibilities
Enterprise Architecture
Blockchain
Zero Trust
DevSecOps
Top Threats
Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

Avoid IAM Drifts Using Explicit-Deny

Home
Industry Insights
Avoid IAM Drifts Using Explicit-Deny

Blog Article Published: 03/15/2024

Written by Israel Chorzevsk.


Background

Over the last decade, cloud providers advanced their authorization mechanism, and added more and more ways to grant access to resources. Having multiple ways to grant access may lead to authorization drifts. This post describes several authorization features that may lead to such drift and proposes to use explicit-deny over implicit-deny whenever possible.

Note that cloud service providers implement their IAM model differently and use different terms for similar concepts. This post articulates it in general terms.


Granting access to a group of resources

Policies may grant access to a specific resource, or a resource group/folder and most cloud service providers support nested groups. The result of this feature is that to know if a user has access to a specific resource, all levels of groups must be checked.

The following diagram shows how access can be granted to different levels. Access of user U1 to resource R2 can be granted by a policy that grants access directly to R2 and/or to resource group 2 and/or to resource group 1:


Granting access to a group of users

Roles may be assigned to a specific user or a user group. The result of this feature is that to know if a user has access to a specific resource, all groups that the user is a member of have to be checked.

The following diagram shows how access can be granted by different levels. Access of user U1 to resource R2 can be granted by a policy that grants access directly from U1 and/or from user group 2 and/or from user group 1:


Granting access by resource-based policy

Access may be granted by binding a policy to a resource without the need to bind it to the role. The result of this feature is that to know if a user has access to a specific resource, all policies that are bound to the resource must be checked in addition to the policies that are bound to the role.

The following diagram shows how different levels of resource-based policies can grant access to a user. Access of user U1 to resource R2 can be granted by resource-based policies 1, 2, and 4. All policies of all levers of resources have to be reviewed to conclude whether a user has access and which type of access:


Impersonation

Users may act on-behalf other roles. The result of this feature is that to know if a user has access to a resource, all roles that the user can act on-behalf them have to be reviewed as well.

The following diagram shows how access can be impersonated. User U1 can impersonate user U2 and access to resource R2 or impersonate user U4 and access to resource R1:


Combined example

The following diagram shows how all users in user group 2 can impersonate user U7 and access to resource R2 due to user group’s policy and impersonation capability. In addition, user U1 can impersonate user U5 and access all resources in resource group 1 due to the impersonation capability and resource-based policy of a group of resources.


Proposed mitigation: The explicit-deny model

When diving into the root cause of confusion and complexity, the implicit deny access model is the root cause. If one of the policies will instead use explicit-deny, there will not be any need to inspect all other policies.

For example, consider that user group 2 has an allow for resource group 1 but deny to resource group 2. Policies of user group 1 (which includes user group 2) or resource-based policies in all levels will not be able to bypass the explicit allow.

Explicit allow can be also done for fine-grained privileges. For example, to allow write-access for PDF files and explicitly deny write-access for everything that is not PDF file. This can be done identity-based and/or resource-based. Once set, no allow can override it.

Note that cloud service providers support several ways of impersonation. Some of them, may bypass even an explicit deny. Hence, an explicit deny will have to be defined also for impersonation, tightening who can impersonate who and how.


Conclusion

The rich IAM mechanism of cloud service providers may lead to granting unintentional and indirect access to resources. This post demonstrate several ways that make the IAM complex, and proposes to use explicit-deny model wherever possible, in order to ensure that other policies will not be able to grant unwanted access.


About the Author

Over the past 15 years, Israel Chorzevski has gained expertise with multiple technologies, including cloud-native, web, mobile, client-server applications, and IoT/embedded devices. Israel has worked with a variety of industries, including tech giants, financial institutions, gaming companies, and intelligence agencies. The blog represents his own opinion and not his employer’s.

Enhancing cloud security strategyIdentity and Access Management

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Download the New Security Guidance v5!
CCSK v5: The Benchmark for Cybersecurity Expertise
AI Model Risk Management Framework
Trending This Week
#1 Discover CCSK v5: The New Standard in Cloud Security Expertise
#2 CSA STAR Certifications: What are they?
#3 AI Safety vs AI Security: Navigating the Commonality and Differences
#4 CCSK vs CCSP: An Unbiased Comparison
#5 Six Pillars of DevSecOps Series
Enhance your cloud security skills with CSA's online training options.
Related Articles:
Top 4 Use Cases of Non-Human Identity Security: Live Event Recap

Published: 07/26/2024

The Cybersecurity Tower of Babel Requires Focus on Business Fundamentals: Part 2

Published: 07/25/2024

Incident Response in Cloud Security

Published: 07/25/2024

Asking the Right Questions About ASPM

Published: 07/24/2024