Cloud Security

Access Control through Observability

September 14, 2022

Access control is a security approach that governs who or what has access to and uses resources in a computing environment. It is a key security concept that reduces risk to the business or organization. Access control is a difficult task and if not implemented properly it can lead to a cyber security crisis. 

One technique I believe is gaining traction recently is the "Access Control through Observability." It works by deploying a resource in a test-bed/staging environment and monitoring all of the components/parameters that this resource accesses. Then, based on these parameters, create an access policy, denying everything else.  

 

Let's look at various tools that can help us prevent access control attacks in the cloud and Kubernetes environments. 

 

1. Containers & K8s:

Let's get into it with containers and Kubernetes. For containers, I like to use eBPF to detect syscalls made by the container. Next, use Sysdig falco to detect or kubearmor to add Linux Security Modules like AppArmor to the runtime security requirements. 

 

2. Audit2RBac

Next up, we've got Audit2Rbac. It is a good RBAC solution for Kubernetes users. As input, you can use a Kubernetes audit log and the user. Next, utilize it to construct an "auto-gen" RBAC manifest depending on the user's calls. This is excellent for service accounts. 

 

3. IAM access analyzer

Now, let's talk about the IAM access analyzer for Amazon Web Services that does a great job of "generating policy" based on Cloudtrail Control Plane events. It has certain limitations, but it is a beneficial AWS Security feature. 

 

4. The Recommender Function:

Next, we've got quite an interesting one. Google Cloud has an intriguing "recommender" function that evaluates permissions actually used by roles over time, with some machine learning thrown in for good measure. Based on this, it will automatically begin to generate recommended permissions. 

 

5. Mizu

Mizu is an excellent tool for Kubernetes networks. While this is exclusive to APIs (HTTP), you may use it to visualize your API traffic and then apply NetworkPolicies to it. 

 

6. VPC Flow Logs

Finally, VPC flow logs for network traffic visualization in the cloud are possibly your most reliable course. Deploy resources on a "staging" or "test" cloud account, collect VPC flow logs, and detect specific ingress and egress traffic patterns. 

Learn about the security techniques and tools in Kubernetes, with our expert-vetted hands-on learning courses, click here to begin!

Never stop learning!

Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).