Lateral Movement in AWS

Public Cloud introduced a new concept that not everyone fully grasps. In the on-prem days of old, you had a room & you had connections going into said room. Hopefully those connections had a firewall. Then there were lots of things in that room that authorized users needed to access to accomplish whatever goal your business has, and a bunch of other things in that room that the techies needed to access in order to keep those first things running and secure.

Sources of Authority in the three Public Cloud Providers

I’m spending more time thinking about Cloud Security in Google and Azure and trying to grok the differences between those platforms and AWS. One of the critical components for understanding your enterprise security stance is what is the source of authority for creating & managing resources in the cloud. As I was thinking about this, I realized that the three main players have very different models. Each model reflects on that companies pre-cloud origins.

Full MFA Protection in AWS

Security best practices typically call for some form of multi-factor authentication when accessing sensitive information system, or when accessing systems with elevated privileges (admin level). In most cases, accessing a public cloud provider via WebConsole or API is accessing the system for administrative purposes and requires an extra level of protection than a simple password. AWS Provides the ability to use MFA on it’s systems, but the ability to enforce that across all facets of the AWS API is not a trivial task.