Do Not Make This Mistake When Starting Cloud Security In 2024...

If you are a newcomer to cloud security, then avoid this wrong turn.

Jun 01, 2024

As someone who has been working in Cloud for half a decade... I like to think I know a little something about Cloud Security.

I often write about the different career paths and certifications available for people wanting to start out in cloud security.

One question that I routinely get asked is...

“Which cloud service should I start with ??”

Cloud providers like AWS, Azure, or GCP can have literally hundreds of security services to explore, and it can get overwhelming!

I have seen experienced Cloud Security professionals jump from one security service to another because all of them seem so amazing to work on, leading to a need for more focus.

Newcomers often want to jump into impressive-sounding services like Cloud Security Posture Management or Threat Monitoring, but my response is always the same:

“Start With Identity and Access Management i.e. IAM”

What Is IAM?

Let us take a look at IAM.

I took this example from AWS, but it applies to almost any cloud provider.

“IAM provides authentication and authorization for AWS services. A service evaluates if an AWS request is allowed or denied. Access is denied by default and is allowed only when a policy explicitly grants access. You can attach policies to roles and resources to control access across AWS.”

Most cloud security professionals think IAM is good for setting password policies and enabling Multi-Factory Authentication, and their job is done!

Believe me, IAM is easily the most important cloud service you can focus on, and ignoring it is a serious mistake.

IAM is the starting point of cloud security regardless of which cloud provider you choose

It touches every service in the cloud and is where most security violations happen.

If you want to control what a user can do .. it is IAM.
Want to control what a cloud workload can do .. it is IAM
Want to control the blast radius of a developer with power user permission .. it is IAM
Want to control third-party access into your environment .. it is IAM !!
If you want to enforce a complex security model like Zero Trust, good luck doing it without learning how IAM works!

Now that you understand why IAM is so crucial, how do you learn it?

A Quick Roadmap For Learning IAM

I will not teach you how IAM works, as there are already a million free resources for doing that.

But I want to highlight the key areas you want to focus on.

1 — Start By Doing

No one learns IAM by reading .. you learn it by trying and failing to create IAM policies.

Get an AWS Free Tier account and start creating some policies.

Start with the basics, such as user and group creation and setting password policies, before jumping into the more complex stuff!

Understand how access keys work and how to rotate them

Once you are comfortable, try creating customized policies to lock down permissions more.

2 — Get a Handle on JSON

More often than not, IAM Policies are implemented in a JSON format.

JSON is an easy key-value pair format that follows a nested structure, meaning it is ideal for writing IAM Policies

Most people want to skip learning JSON and use the graphical interface, but that is another mistake.

Being completely ignoring JSON means you will have a seriously difficult time when policies do not work and you have to troubleshoot them.

Can you understand what the below policy does?

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::example-bucket",
        "arn:aws:s3:::example-bucket/*"
      ]
    },
    {
      "Effect": "Allow",
      "Action": [
        "dynamodb:PutItem",
        "dynamodb:UpdateItem",
        "dynamodb:GetItem",
        "dynamodb:Scan",
        "dynamodb:Query"
      ],
      "Resource": [
        "arn:aws:dynamodb:us-east-1:123456789012:table/ExampleTable"
      ]
    }
  ]
}

If JSON gives you a headache, AI tools like ChatGPT are great for walking you through IAM policies and explaining them step by step.

Here is an example of me asking ChatGPT to walk me through the above policy.

Note: I am not suggesting you start putting your corporate IAM policies into ChatGPT please. Just use it for learning purposes only !!

Share ☁️ The Cloud Security Guy 🤖

3. Understand How IAM Policy Logic Works

Every request processed in the cloud is evaluated based on a policy logic.

Different types of policies are evaluated differently and at differing levels.

It can get very complicated very fast!

The below is just an example of AWS Policy evaluation logic

You do not need to understand every detail, but start slowly and build over time with more complex policies.

Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html

4. Put Your IAM Skills To The Test!

Now that you have a good foundation .. push yourself by giving yourself some projects based on real-life situations like the following:

How to prevent a user administrator from doing a privilege escalation
How to create and assume roles within multiple accounts in a cloud
How to configure Single Sign On (SSO) within AWS and Azure AD
How to create context-driven policies that take additional attributes like IP Address, Time of day, or User behavior into account
How to automate user review within the cloud ( so you don't have to review thousands of permissions in your environment manually)

I hope this gave you a good idea of why IAM is possibly the most important service in the cloud.

Mastering it is essential to move towards concepts such as Zero Trust.

I hope this motivates you to take a deeper dive into IAM concepts

If you want to learn more, check out this video, which is my favorite on this topic !

☁️ The Cloud Security Guy 🤖

Discussion about this post

Ready for more?