Well-Architected Framework
Grant least privilege
Writing policies is part of a complete identity and access management strategy. Policies should follow the principle of least privilege.
Once you have identified and collected security requirements to aid in defining access requirements, you can use that information to write identity and access management (IAM) policies.
What is least privilege
Least privilege means that users, applications, and systems have the minimum permissions necessary to perform their required tasks. Following the principle of least privilege reduces the risk of unauthorized access or actions that can compromise the security of your systems and secure data.
Policies that follow least privilege also help enforce separation of duties and zero trust models, key security principles. Separation of duties ensures that no single individual has control over all aspects of a critical process, reducing the risk of fraud or error. Zero trust assumes that threats can come from both inside and outside the network, so it requires strict identity verification for every person and device trying to access resources.
Without policies that follow least privilege, you cannot enforce strong security practices like separation of duties or zero trust that help protect your organization.
Why should you use least privilege
While most regulations do not have explicit requirements for least privilege, they do require controls that show you have a strong identity and access management program.
Consider conventional virtual private network (VPN) solutions, where a user connects to the VPN and gains access to the entire network. If a user’s credentials are compromised, an attacker can access all data on the network. A VPN is generally unable to follow the principle of least privilege because it provides broad access to the network.
In contrast, a zero trust model with least privilege ensures that users have access to the specific resources they need. If a user’s credentials become compromised using least privilege policies, the attacker can access just the limited set of resources defined in the policy, reducing the potential damage.
You have now identified and collected the access requirements, and used that information to write documentation that follows least privilege. Some examples of documentation to write include:
- Software engineers do not have access to production.
- Site reliability engineers have access to production, but not permanently.
- Access to production requires approval and multi-factor authentication (MFA)
- Logging enabled and monitoring access to production.
- Centralized authentication and authorization for all services.
HashiCorp tools and services like Vault and Boundary allow you to implement least privilege access controls, while Terraform helps you manage the policies for Vault and Boundary.
In this example, you write a policy that only permits access to the path for a a specifidc KV secrets engine. Because Vault policies follow least privilege by default, the authenticated user does not have access to other paths not defined in the policy.
With Vault and Boundary, you can provision dynamic credentials allowing users to remotely access systems without managing long-lived credentials. When the session is complete, Vault revokes the credentials, reducing the risk of compromise.
Boundary also allows you to provide access to the specific systems and services that users need access to, eliminating access to the entire network like conventional VPN solutions do.
Terraform helps you manage the policies for Vault and Boundary, allowing you to define, update, and enforce policies as code. Using automation to manage policies ensures that your policies are consistent, auditable, and can be version controlled.
HashiCorp resources:
- Access controls with Vault policies
- Policy as code with Sentinel
- Create IAM policies with Terraform
- Use templates with Waypoint
External resources:
- NIST cybersecurity framework
- Define, update, share, and enforce policies using code
- Understanding separation of duties
Next steps
Following these documents in order ensures a logical progression through the key concepts and best practices, helping you build a strong foundation to build your identity and access management program.
- Define access requirements
- Grant least privilege (this document)
- Create permissions and guardrails
- Centralize identity management
- Implement strong sign-in workflows
- Use dynamic credentials
- Manage access lifecycle
In this section of Identity and access management, you learned the importance of using least privilege in your policies governing access requirements. Identity and access management is part of the Secure systems pillar.