Cloud Security Podcast Dynamic Permission Boundaries: A New Approach to Cloud Security
7 snips
Nov 12, 2024 Kushagra Sharma, a Staff Cloud Security Engineer with extensive experience in scaling IAM across AWS environments, shares his insights on dynamic permission boundaries. He discusses the failures of traditional IAM models at scale and emphasizes the need for innovative solutions like Terraform for security management. Kushagra also covers the challenges of multi-cloud setups and the evolving responsibilities between developers and security teams, all while maintaining a balance between security and developer autonomy.
AI Snips
Chapters
Transcript
Episode notes
Managing IAM at Thousands of Accounts
- Booking.com operated a massive scale of over 3,500 AWS accounts.
- Managing IAM at thousands of accounts challenges traditional approval processes due to operational overhead.
Use Permission Boundaries for Limits
- Use AWS permission boundaries to limit maximum permissions an IAM entity can have.
- Boundaries restrict even if an overly permissive policy is attached, adding a key security parameter.
Combine SCPs and Dynamic Boundaries
- Create dynamic permission boundaries tailored to account context like compliance and exceptions.
- Combine static SCPs for non-negotiable controls with dynamic boundaries for frequent changes.