Amazon Web Services (AWS) recently announced the addition of roles to its Identity and Access Management (IAM) Policy Simulator. It’s one more way that admins can protect their companies from costly data breaches.
How IAM Policy Simulator Works
IAM Policy Simulator is a sandbox environment for testing security policies before putting them into production. Instead of implementing policies and getting a flurry of Help Desk complaints, companies can test the effect that policies will have on different users, groups, and roles.
- AWS lets admins run simulations showing how policies affect individual users, which gives admins an understanding of the interplay between user, group, and role-based policies.
- Admins cluster people into groups that need similar types of access to applications, documents, databases, and other resources. For example, the accounting department would have different access privileges than the marketing department.
- These policies customize access based on an individual’s role within the organization. For example, all lead accountants can review records of who’s accessed company financial statements.
Within the simulator, admins select users, groups, or roles. Then, they choose different AWS resources, such as S3 or DynamoDB. Within the resource, they choose actions, such as allowing access to an S3 bucket. Then, they run the simulation to determine whether the user, group, or role would have access to the requested action.
Granular policy actions like these, in addition to full-scale AWS security services, protect critical data in two important ways. First, they prevent internal data theft or unauthorized access. Second, they ensure that thieves who steal employee login credentials can’t necessarily get access to sensitive data.
Testing Role-Based Policies
The new updates to IAM Policy Simulator let admins test different kinds of role-based privilege sets. Admins can now troubleshoot permissions granted to each role, ensuring that people in certain positions have access to the resources they need without gaining unauthorized entry into resources they don’t need. Setting up policies based on roles makes onboarding and transfers much easier. Instead of writing individual policy statements for each user, admins can input a user, select the user’s role to automatically implement a policy, and then customize as needed.
With IAM Policy Simulator, an admin chooses a user, a resource, and an action to see whether a user can get to a certain piece of information. After running the simulation, admins see a list of potential actions and information about whether access would be allowed or denied. Then, they can show specific sections of policy determining whether the user is allowed or denied. If an individual user needs access above and beyond a role, admins can customize the policy to override the existing denial.
IAM Policy Simulator shows admins both single policies as well as the results of combinations of policies. Admins can test existing policies when users have problems, and they can also test new policies before implementing them within the organization.
Limitations of Policy
Granular access policies on their own aren’t enough to keep data safe. Without additional AWS security tools, including monitoring, firewalls, whitelisting, sandboxing, and deep discovery, companies can still find themselves facing costly data breaches.
Also, if admins don’t stay on top of policy changes, they place the company at risk. Failure to combine tested policies with AWS security measures could mean big losses for any business:
- Intellectual property theft. A disgruntled employee gets taken off a project, but admins fail to update the user’s role. The employee, who still has access to sensitive IP, steals the documents and leaks them online as an act of revenge.
- Spearphishing. A member of the executive team clicks on a phishing email and gives away his username and password so that an attacker can login and access sensitive information. If the company has no network monitoring capabilities, data gets transferred out before anyone notices.
- Malware. An employee transfers malware from a home computer to the company network via USB stick. Even if the employee has only low-level access, malware can give remote attackers access to the network, where they can escalate privileges until they gain entrance to a database of credit card numbers.
IAM Policy Simulator’s new role-based testing makes it much easier to troubleshoot policies and prevent hassles before they happen. When combined with AWS security services, granular policies offer strong protection against data breaches.