Detecting Anomalous Misconfigurations in AWS Identity and Access Management Policies

Thijs van Ede, Niek Khasuntsev, Bas Steen, Andrea Continella

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

70 Downloads (Pure)

Abstract

In recent years, misconfigurations of cloud services have led to major security incidents and large-scale data breaches. Due to the dynamic and complex nature of cloud environments, misconfigured (e.g., overly permissive) access policies can be easily introduced and often go undetected for a long period of time. Therefore, it is critical to identify any potential misconfigurations before they can be abused. In this paper, we present a novel misconfiguration detection approach for identity and access management policies in AWS. We base our approach on the observation that policies can be modeled as permissions between entities and objects in the form of a graph. Our key idea is that misconfigurations can be effectively detected as anomalies in such a graph representation. We evaluate our approach on real-world identity and access management policy data from three enterprise cloud environments. We investigate the effectiveness of our approach to detect misconfigurations, showing that it has a slightly lower precision compared to rule-based systems, but it is able to correctly detect between 3.7 and 6.4 times as many misconfigurations.
Original languageEnglish
Title of host publicationCCSW 2022 - Proceedings of the 2022 Cloud Computing Security Workshop, co-located with CCS 2022
Pages63-74
Number of pages12
ISBN (Electronic)9781450398756
DOIs
Publication statusPublished - 7 Nov 2022
EventACM Cloud Computing Security Workshop, CCSW 2022 - Los Angeles, United States
Duration: 7 Nov 20227 Nov 2022

Conference

ConferenceACM Cloud Computing Security Workshop, CCSW 2022
Abbreviated titleCCSW 2022
Country/TerritoryUnited States
CityLos Angeles
Period7/11/227/11/22

Keywords

  • Cybersecurity

Fingerprint

Dive into the research topics of 'Detecting Anomalous Misconfigurations in AWS Identity and Access Management Policies'. Together they form a unique fingerprint.

Cite this