Preparing to assess cloud IAM controls
As we covered in Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments, developing a good audit plan requires a thorough understanding of how the enterprise environment is architected and connected. When it comes to IAM controls, knowing that the cloud environment is federated with another identity store versus using a localized identity store only, for example, will change the test procedures that should be used and the evidence that you would expect to gather. It may also influence the points of contact within the organization you would need to work with to obtain evidence details. In addition to understanding the architecture and integration design of the environment, like other audits, it’s essential to understand the risk and control objectives the organization is trying to address as part of the cloud audit process. As we’ve uncovered throughout Chapter 1, Cloud Architecture and Navigation, to Chapter 6, Tips and Techniques for Advanced Auditing, there is a myriad of optionsfor configuring security controls within your enterprise cloud environments, and the configuration options an organization chooses should be reflective of their risk tolerance and control objectives.
In the sections that follow, as a prerequisite, you will require a minimum level of view or read access to obtain the test evidence independently. Depending upon your specific organization’s configuration and any additional customizations, you may require additional access rights or group memberships to directly access specific content, or you may be required to work with an administrative point of contact for your organization as you observe them pulling control evidence. For reference, any screenshots in the following sections are based on a user with administrative privileges to the cloud environment.
Another thing to keep in mind as you prepare to assess cloud IAM controls is that although some basic tenants are the same across the cloud providers, the nomenclature and structure vary. Please review Chapter 3, Identity and Access Management Controls, as a refresher on the IAM components across the three cloud providers.
Now that we have touched on a few points of preparation let’s perform our first walk-through challenge to assess authentication and authorization.
Assessing authentication and authorization
In the case of user authentication and authorization, it’s important to understand the source of identities and where they are managed. Cloud providers offer the ability to consume, share, and/or sync identity information within hybrid environments, across cloud providers, and with on-premise identity stores. As a brief reminder, authentication is the process of verifying an identity claim, and authorization is the process of verifying that the identity has the proper permissions to access content or resources. Both processes should be inclusive of human and non-human (service accounts, workload identities, and automation accounts) identities.
For our walk-through in this section, our control testing will determine whether the organization’s cloud environment adheres to a control policy that requires accounts that are inactive for 180 days to be disabled. In our example, we will walk through simple methods to obtain this information within AWS and Azure cloud environments; however, please keep in mind that there are often many other methods for pulling this information. Leveraging the established frameworks that we referenced in Chapter 2, Effective Techniques for Preparing to Audit Cloud Environments, may assist you in utilizingsome of these other methods.