Abstract

Security misconfigurations are one of the biggest threats to cloud environments. In recent years, misconfigurations of cloud services have led to major security incidents and large-scale data breaches. Proper configuration of identity and access management services is essential in maintaining a secure cloud environment. Due to the dynamic and complex nature of cloud environments, misconfigurations can be easily introduced and go undetected for a long period. Therefore, it is critical to detect any potential misconfigurations before they can be abused.

In this paper, we present a novel misconfiguration detection approach for identity and access management policies in AWS. Our approach is based on a graph model representation of identity and access management data. We assume that similar identity and access management policies also have similar graph representations. Therefore, properly configured policies are similar to each other, and misconfigurations are different. Our main insight therefore is that we can use anomaly detection techniques to spot outliers, and therefore detect potential misconfigurations. Our proposed approach first creates a graph model from all the identity and access management policies in a cloud environment. Then, the graph is transformed into a vector representation. Finally, we apply anomaly detection on new observations to determine whether they are potential misconfigurations or not. We evaluate our approach on real-world identity and access management policy data of three cloud environments and demonstrate its effectiveness to detect misconfigurations (precision of 85%, recall of 73%).

Links

• http://essay.utwente.nl/86444/1/Khasuntsev_MA_EEMCS.pdf

Citation

Khasuntsev, N., 2021. Automatic Detection of Misconfigurations of AWS Identity and Access Management Policies. University of Twente, The Netherlands.