Secure IAM on AWS with Multi-Account Strategy

• URL: http://arxiv.org/abs/2501.02203v1
• Date: Sat, 04 Jan 2025 05:42:27 GMT
• Title: Secure IAM on AWS with Multi-Account Strategy
• Authors: Sungchan Yi,
• Abstract summary: Small organizations often don't have enough human resources to design a secure architecture.<n>We suggest the multi-account strategy for securing the cloud architecture.
• Score: 0.0
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Many recent IT companies use cloud services for deploying their products, mainly because of their convenience. As such, cloud assets have become a new attack surface, and the concept of cloud security has emerged. However, cloud security is not emphasized enough compared to on-premise security, resulting in many insecure cloud architectures. In particular, small organizations often don't have enough human resources to design a secure architecture, leaving them vulnerable to cloud security breaches. We suggest the multi-account strategy for securing the cloud architecture. This strategy cost-effectively improves security by separating assets and reducing management overheads on the cloud infrastructure. When implemented, it automatically provides access restriction within the boundary of an account and eliminates redundancies in policy management. Since access control is a critical objective for constructing secure architectures, this practical method successfully enhances security even in small companies. In this paper, we analyze the benefits of multi-accounts compared to single accounts and explain how to deploy multiple accounts effortlessly using the services provided by AWS. Then, we present possible design choices for multi-account structures with a concrete example. Finally, we illustrate two techniques for operational excellence on multi-account structures. We take an incremental approach to secure policy management with the principle of least privilege and introduce methods for auditing multiple accounts.

Related papers

• Unleashing MLLMs on the Edge: A Unified Framework for Cross-Modal ReID via Adaptive SVD Distillation [48.88299242238335]
  Cross-Modal Re-identification (CM-ReID) faces challenges due to maintaining a fragmented ecosystem of specialized cloud models.<n>We propose MLLMEmbed-ReID, a unified framework based on a powerful cloud-edge architecture.
  arXiv  Detail & Related papers  (2026-02-13T13:48:08Z)
• Bit of a Close Talker: A Practical Guide to Serverless Cloud Co-Location Attacks [9.93372713645485]
  Serverless computing has revolutionized cloud computing by offering users an efficient, cost-effective way to develop and deploy applications without managing infrastructure details.<n>Serverless cloud users remain vulnerable to various types of attacks, including micro-architectural side-channel attacks.<n>This study addresses the gap in understanding and constructing co-location attacks in serverless clouds.
  arXiv  Detail & Related papers  (2025-12-11T07:22:07Z)
• A Systematic Survey of Model Extraction Attacks and Defenses: State-of-the-Art and Perspectives [65.3369988566853]
  Recent studies have demonstrated that adversaries can replicate a target model's functionality.<n>Model Extraction Attacks pose threats to intellectual property, privacy, and system security.<n>We propose a novel taxonomy that classifies MEAs according to attack mechanisms, defense approaches, and computing environments.
  arXiv  Detail & Related papers  (2025-08-20T19:49:59Z)
• Bridging the Mobile Trust Gap: A Zero Trust Framework for Consumer-Facing Applications [51.56484100374058]
  This paper proposes an extended Zero Trust model designed for mobile applications operating in untrusted, user-controlled environments.<n>Using a design science methodology, the study introduced a six-pillar framework that supports runtime enforcement of trust.<n>The proposed model offers a practical and standards-aligned approach to securing mobile applications beyond pre-deployment controls.
  arXiv  Detail & Related papers  (2025-08-20T18:42:36Z)
• Tit-for-Tat: Safeguarding Large Vision-Language Models Against Jailbreak Attacks via Adversarial Defense [90.71884758066042]
  Large vision-language models (LVLMs) introduce a unique vulnerability: susceptibility to malicious attacks via visual inputs. We propose ESIII (Embedding Security Instructions Into Images), a novel methodology for transforming the visual space from a source of vulnerability into an active defense mechanism.
  arXiv  Detail & Related papers  (2025-03-14T17:39:45Z)
• Microsegmented Cloud Network Architecture Using Open-Source Tools for a Zero Trust Foundation [0.0]
  This paper presents a multi-cloud networking architecture built on zero trust principles and micro-segmentation. The proposed design includes the multi-cloud network to support a wide range of applications and workload use cases.
  arXiv  Detail & Related papers  (2024-11-19T01:58:40Z)
• Authentication and identity management based on zero trust security model in micro-cloud environment [0.0]
  The Zero Trust framework can better track and block external attackers while limiting security breaches resulting from insider attacks in the cloud paradigm. This paper focuses on authentication mechanisms, calculation of trust score, and generation of policies in order to establish required access control to resources.
  arXiv  Detail & Related papers  (2024-10-29T09:06:13Z)
• Advocate -- Trustworthy Evidence in Cloud Systems [39.58317527488534]
  The rapid evolution of cloud-native applications, characterized by dynamic, interconnected services, presents significant challenges for maintaining trustworthy and auditable systems. Traditional methods of verification and certification are often inadequate due to the fast-past and dynamic development practices common in cloud computing. This paper introduces Advocate, a novel agent-based system designed to generate verifiable evidence of cloud-native application operations.
  arXiv  Detail & Related papers  (2024-10-17T12:09:26Z)
• CoreGuard: Safeguarding Foundational Capabilities of LLMs Against Model Stealing in Edge Deployment [43.53211005936295]
  CoreGuard is a computation- and communication-efficient model protection approach against model stealing on edge devices. We show that CoreGuard achieves the same security protection as the black-box security guarantees with negligible overhead.
  arXiv  Detail & Related papers  (2024-10-16T08:14:24Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• CloudLens: Modeling and Detecting Cloud Security Vulnerabilities [15.503757553097387]
  Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration.<n>Access control misconfigurations are often the primary driver for cloud attacks.<n>A planner generates attacks to identify such vulnerabilities in the cloud.
  arXiv  Detail & Related papers  (2024-02-16T03:28:02Z)
• Emergent (In)Security of Multi-Cloud Environments [3.3819025097691537]
  A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures. We conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures.
  arXiv  Detail & Related papers  (2023-11-02T14:02:33Z)
• Exploring Security Practices in Infrastructure as Code: An Empirical Study [54.669404064111795]
  Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools. scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
  arXiv  Detail & Related papers  (2023-08-07T23:43:32Z)
• Learning Cooperative Oversubscription for Cloud by Chance-Constrained Multi-Agent Reinforcement Learning [40.31099670383296]
  Oversubscription is a common practice for improving cloud resource utilization. This paper proposes an effective Chance Constrained Multi-Agent Reinforcement Learning (C2MARL) method to solve this problem.
  arXiv  Detail & Related papers  (2022-11-21T07:00:09Z)
• Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies [12.43505973436359]
  Cloud security relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. We develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP) We show that our optimized IAM policies significantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.
  arXiv  Detail & Related papers  (2022-05-02T22:15:07Z)
• Auto-Split: A General Framework of Collaborative Edge-Cloud AI [49.750972428032355]
  This paper describes the techniques and engineering practice behind Auto-Split, an edge-cloud collaborative prototype of Huawei Cloud. To the best of our knowledge, there is no existing industry product that provides the capability of Deep Neural Network (DNN) splitting.
  arXiv  Detail & Related papers  (2021-08-30T08:03:29Z)
• A Privacy-Preserving Distributed Architecture for Deep-Learning-as-a-Service [68.84245063902908]
  This paper introduces a novel distributed architecture for deep-learning-as-a-service. It is able to preserve the user sensitive data while providing Cloud-based machine and deep learning services.
  arXiv  Detail & Related papers  (2020-03-30T15:12:03Z)
• AdvMS: A Multi-source Multi-cost Defense Against Adversarial Attacks [81.45930614122925]
  Deep neural networks have been proliferated rapidly in many security-critical domains such as malware detection and self-driving cars. Conventional defense methods, although shown to be promising, are largely limited by their single-source single-cost nature. We show that the multi-source nature of AdvMS mitigates the performance plateauing issue and the multi-cost nature enables improving robustness at a flexible and adjustable combination of costs.
  arXiv  Detail & Related papers  (2020-02-19T20:46:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.