Hackers of India

Identifying and Reducing Permission Explosion in AWS: A Graph-Based and Analytical Approach

By  Pankaj Moolrajani  on 09 Aug 2023 @ Blackhat

Abstract

The rapid growth of cloud infrastructure and services in AWS has led to a proliferation of permissions and potential security risks. This talk proposes a graph-based and analytical approach to identify and reduce permission explosion in AWS.

The proposed method involves collecting data on AWS IAM roles and their associated permissions, constructing a graph representation of the access relationships, and analyzing the graph to locate clusters of roles with excessive permissions. Using the Louvain community detection algorithm, we can identify groups of roles that are highly interconnected and have similar access patterns.

We applied our approach to a real-world AWS environment and identified several clusters of roles with excessive permissions. The proposed method provides a visual representation of the access relationships between roles, making it easier to understand and manage permissions in complex and large cloud environments.

Potential future work could involve exploring the integration of the proposed approach with existing IAM management tools, as well as investigating the impact of permission trimming on the functionality of AWS applications. Additionally, using AWS CloudTrail logs to identify unused permissions and further reducing access could also be explored.