DEF CON 29 Cloud Village - Michael Raggo - Identifying Toxic Combinations of Permissions

With more than 24,000 permissions across AWS, Azure, and GCP, how does one determine who gets what permissions? Half of the 10,000 permissions in AWS are admin-like permissions. This is even more complicated when new permissions and services are being added almost daily. Mapping these out and understanding their implications is a difficult task, yet attackers understand them well enough to leverage toxic combinations of these permissions for privilege escalation and exploiting your cloud infrastructure. In this presentation, we'll share our experiences in doing more than 150 risk assessments across AWS, Azure, and GCP. We'll review common admin permissions that we commonly find accidentally assigned to developers and users. We'll reveal some extremely powerful permissions that can be mapped to a Cyber Kill Chain specific to cloud infrastructure. This will uncover toxic combinations of permissions that can lead to lateral movement, privilege escalation, exfiltration, and more. We'll provide real world examples of findings from audit logs, activity monitoring, and ML-based anomaly analysis. We'll then outline a strategy to tracking this moving forward actively within your environment and how to mitigate this over-permissioned access to build a permissions management lifecycle