ULA accelerates innovation by lowering cloud compliance risk at scale (AES309)
Adopting a Functional Privilege Architecture for Secure Cloud Governance
ULA's Cloud Journey
ULA faced several challenges when adopting the cloud, including:
Complexity in user provisioning, causing delays and productivity losses
Difficulty in scaling, especially around identity management
Challenges in defining and achieving least privilege access
Challenges with lift-and-shift and on-premise mentality
Lack of cloud knowledge among the user base
Effective Permissions Approach
ULA partnered with AWS Professional Services to address these challenges.
The solution involved a three-layer approach:
Identity Policies: Defined a list of actions and resources that users can access.
Service Control Policies (SCPs): Implemented security policy frameworks using deny statements to restrict certain actions.
Boundary Policies: Defined a set of allowed services and actions, creating a "safe space" for developers to work.
Functional Privilege Architecture
ULA took the effective permissions approach further by developing a "functional privilege" model.
Key elements:
Established a Cloud Center of Excellence (CCoE) to enable and disseminate the approach.
Implemented a rigorous service approval process, requiring deep dives into new services and defining necessary controls.
Used the Landing Zone Accelerator (LZA) pipeline to deploy the policies and roles across accounts.
Developed custom CLI tools to automate the generation of IAM policies based on user actions and infrastructure as code.
Onboarded developers in a dedicated "onboarding" account, allowing them to experiment and explore while capturing their actions.
Iteratively updated the generated policies as developers' needs evolved.
Outcomes and Principles
The functional privilege approach allowed ULA to:
Reduce provisioning times from days or hours to minutes
Maintain high security standards and compliance posture
Empower developers to innovate while ensuring secure guardrails
Key principle: "Principle of Leash Privilege" - Providing users with the freedom to roam and explore, while maintaining the ability to tighten the leash when necessary.
Lessons Learned
Emphasize the importance of a solid governance strategy and architectural foundations before implementing tooling.
Leverage AWS services like IAM Access Analyzer, where possible, and supplement with custom tooling when needed (e.g., for GovCloud).
Integrate the policy generation process with developers' workflows (CI/CD pipelines) for better adoption and iteration.
Treat IAM policies as a living document, continuously updating them as user needs evolve.
Conclusion
ULA's functional privilege approach has enabled them to balance security and compliance requirements with developer agility and innovation.
The principles and techniques discussed can be applied to both commercial and highly regulated GovCloud environments.
These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.
If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.