Secure IAM on AWS with Multi-Account Strategy

• URL: http://arxiv.org/abs/2501.02203v1
• Date: Sat, 04 Jan 2025 05:42:27 GMT
• Title: Secure IAM on AWS with Multi-Account Strategy
• Authors: Sungchan Yi,
• Abstract summary: Small organizations often don't have enough human resources to design a secure architecture. We suggest the multi-account strategy for securing the cloud architecture.
• Score: 0.0
• License:
• Abstract: Many recent IT companies use cloud services for deploying their products, mainly because of their convenience. As such, cloud assets have become a new attack surface, and the concept of cloud security has emerged. However, cloud security is not emphasized enough compared to on-premise security, resulting in many insecure cloud architectures. In particular, small organizations often don't have enough human resources to design a secure architecture, leaving them vulnerable to cloud security breaches. We suggest the multi-account strategy for securing the cloud architecture. This strategy cost-effectively improves security by separating assets and reducing management overheads on the cloud infrastructure. When implemented, it automatically provides access restriction within the boundary of an account and eliminates redundancies in policy management. Since access control is a critical objective for constructing secure architectures, this practical method successfully enhances security even in small companies. In this paper, we analyze the benefits of multi-accounts compared to single accounts and explain how to deploy multiple accounts effortlessly using the services provided by AWS. Then, we present possible design choices for multi-account structures with a concrete example. Finally, we illustrate two techniques for operational excellence on multi-account structures. We take an incremental approach to secure policy management with the principle of least privilege and introduce methods for auditing multiple accounts.

Related papers

• Microsegmented Cloud Network Architecture Using Open-Source Tools for a Zero Trust Foundation [0.0]
  This paper presents a multi-cloud networking architecture built on zero trust principles and micro-segmentation. The proposed design includes the multi-cloud network to support a wide range of applications and workload use cases.
  arXiv  Detail & Related papers  (2024-11-19T01:58:40Z)
• Authentication and identity management based on zero trust security model in micro-cloud environment [0.0]
  The Zero Trust framework can better track and block external attackers while limiting security breaches resulting from insider attacks in the cloud paradigm. This paper focuses on authentication mechanisms, calculation of trust score, and generation of policies in order to establish required access control to resources.
  arXiv  Detail & Related papers  (2024-10-29T09:06:13Z)
• CoreGuard: Safeguarding Foundational Capabilities of LLMs Against Model Stealing in Edge Deployment [43.53211005936295]
  CoreGuard is a computation- and communication-efficient model protection approach against model stealing on edge devices. We show that CoreGuard achieves the same security protection as the black-box security guarantees with negligible overhead.
  arXiv  Detail & Related papers  (2024-10-16T08:14:24Z)
• Securing the Open RAN Infrastructure: Exploring Vulnerabilities in Kubernetes Deployments [60.51751612363882]
  We investigate the security implications of and software-based Open Radio Access Network (RAN) systems. We highlight the presence of potential vulnerabilities and misconfigurations in the infrastructure supporting the Near Real-Time RAN Controller (RIC) cluster.
  arXiv  Detail & Related papers  (2024-05-03T07:18:45Z)
• CloudLens: Modeling and Detecting Cloud Security Vulnerabilities [15.503757553097387]
  Cloud computing services provide scalable and cost-effective solutions for data storage, processing, and collaboration. Access control misconfigurations are often the primary driver for cloud attacks. A planner generates attacks to identify such vulnerabilities in the cloud.
  arXiv  Detail & Related papers  (2024-02-16T03:28:02Z)
• Emergent (In)Security of Multi-Cloud Environments [3.3819025097691537]
  A majority of IT organizations have workloads spread across different cloud service providers, growing their multi-cloud environments. The increase in the number of attack vectors creates a challenge of how to prioritize mitigations and countermeasures. We conducted an analysis of multi-cloud threat vectors enabling calculation and prioritization for the identified mitigations and countermeasures.
  arXiv  Detail & Related papers  (2023-11-02T14:02:33Z)
• Exploring Security Practices in Infrastructure as Code: An Empirical Study [54.669404064111795]
  Cloud computing has become popular thanks to the widespread use of Infrastructure as Code (IaC) tools. scripting process does not automatically prevent practitioners from introducing misconfigurations, vulnerabilities, or privacy risks. Ensuring security relies on practitioners understanding and the adoption of explicit policies, guidelines, or best practices.
  arXiv  Detail & Related papers  (2023-08-07T23:43:32Z)
• Using Constraint Programming and Graph Representation Learning for Generating Interpretable Cloud Security Policies [12.43505973436359]
  Cloud security relies on Identity Access Management (IAM) policies that IT admins need to properly configure and periodically update. We develop a novel framework that encodes generating optimal IAM policies using constraint programming (CP) We show that our optimized IAM policies significantly reduce the impact of security attacks using real data from 8 commercial organizations, and synthetic instances.
  arXiv  Detail & Related papers  (2022-05-02T22:15:07Z)
• Auto-Split: A General Framework of Collaborative Edge-Cloud AI [49.750972428032355]
  This paper describes the techniques and engineering practice behind Auto-Split, an edge-cloud collaborative prototype of Huawei Cloud. To the best of our knowledge, there is no existing industry product that provides the capability of Deep Neural Network (DNN) splitting.
  arXiv  Detail & Related papers  (2021-08-30T08:03:29Z)
• A Privacy-Preserving Distributed Architecture for Deep-Learning-as-a-Service [68.84245063902908]
  This paper introduces a novel distributed architecture for deep-learning-as-a-service. It is able to preserve the user sensitive data while providing Cloud-based machine and deep learning services.
  arXiv  Detail & Related papers  (2020-03-30T15:12:03Z)
• AdvMS: A Multi-source Multi-cost Defense Against Adversarial Attacks [81.45930614122925]
  Deep neural networks have been proliferated rapidly in many security-critical domains such as malware detection and self-driving cars. Conventional defense methods, although shown to be promising, are largely limited by their single-source single-cost nature. We show that the multi-source nature of AdvMS mitigates the performance plateauing issue and the multi-cost nature enables improving robustness at a flexible and adjustable combination of costs.
  arXiv  Detail & Related papers  (2020-02-19T20:46:54Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.