ULA accelerates innovation by lowering cloud compliance risk at scale (AES309)

Adopting a Functional Privilege Architecture for Secure Cloud Governance

ULA's Cloud Journey

  • ULA faced several challenges when adopting the cloud, including:
    • Complexity in user provisioning, causing delays and productivity losses
    • Difficulty in scaling, especially around identity management
    • Challenges in defining and achieving least privilege access
    • Challenges with lift-and-shift and on-premise mentality
    • Lack of cloud knowledge among the user base

Effective Permissions Approach

  • ULA partnered with AWS Professional Services to address these challenges.
  • The solution involved a three-layer approach:
    1. Identity Policies: Defined a list of actions and resources that users can access.
    2. Service Control Policies (SCPs): Implemented security policy frameworks using deny statements to restrict certain actions.
    3. Boundary Policies: Defined a set of allowed services and actions, creating a "safe space" for developers to work.

Functional Privilege Architecture

  • ULA took the effective permissions approach further by developing a "functional privilege" model.
  • Key elements:
    • Established a Cloud Center of Excellence (CCoE) to enable and disseminate the approach.
    • Implemented a rigorous service approval process, requiring deep dives into new services and defining necessary controls.
    • Used the Landing Zone Accelerator (LZA) pipeline to deploy the policies and roles across accounts.
    • Developed custom CLI tools to automate the generation of IAM policies based on user actions and infrastructure as code.
    • Onboarded developers in a dedicated "onboarding" account, allowing them to experiment and explore while capturing their actions.
    • Iteratively updated the generated policies as developers' needs evolved.

Outcomes and Principles

  • The functional privilege approach allowed ULA to:
    • Reduce provisioning times from days or hours to minutes
    • Maintain high security standards and compliance posture
    • Empower developers to innovate while ensuring secure guardrails
  • Key principle: "Principle of Leash Privilege" - Providing users with the freedom to roam and explore, while maintaining the ability to tighten the leash when necessary.

Lessons Learned

  • Emphasize the importance of a solid governance strategy and architectural foundations before implementing tooling.
  • Leverage AWS services like IAM Access Analyzer, where possible, and supplement with custom tooling when needed (e.g., for GovCloud).
  • Integrate the policy generation process with developers' workflows (CI/CD pipelines) for better adoption and iteration.
  • Treat IAM policies as a living document, continuously updating them as user needs evolve.

Conclusion

  • ULA's functional privilege approach has enabled them to balance security and compliance requirements with developer agility and innovation.
  • The principles and techniques discussed can be applied to both commercial and highly regulated GovCloud environments.

Your Digital Journey deserves a great story.

Build one with us.

Cookies Icon

These cookies are used to collect information about how you interact with this website and allow us to remember you. We use this information to improve and customize your browsing experience, as well as for analytics.

If you decline, your information won’t be tracked when you visit this website. A single cookie will be used in your browser to remember your preference.

Talk to us