Comment by callalex
2 years ago
Can someone explain to me what is so difficult about writing security policies? Are people really deploying services in production without understanding the upstream and downstream dependencies of the service?
Also at cloud-scale 95% accuracy is completely unacceptable.
IAM Policies in AWS are inherently difficult - there's a lot of nuance to the policies such as evaluation logic (allow/deny decisions), resource scoping, conditionals, and more. It's often more straightforward to start with a broad IAM policy and then leave it without reducing privilege as to not adversely impact the application. Proper IAM also takes dev cycles, and may not be top priority to get a policy correct. I think it's rare to find a 100% properly scoped IAM policy for an application.
Datadog recently did a State of Cloud Security and one of their findings in https://www.datadoghq.com/state-of-cloud-security/ is that a substantial portion of cloud workloads are excessively privileged (with more data points there).
> Are people really deploying services in production without understanding...
Oh you sweet summer child. But in reality I've seen the pattern over and over, especially in GCP. 1. Create service account 2. Give it Owner permission for the whole project 3. Download key and check it into source control 4. deploy.