Automated Least-Privileged Access

Follow

Kion’s unique approach to applying automated, least-privileged access unlocks multiple business benefits: 

  • Cost avoidance: Setting up non-negotiable permissions and policies across multiple clouds and accounts can prevent accidental misuse of cloud resources that result in wasted spend, such as preventing instances that cost >$2 per hour, or restricting deployment in unapproved regions. 
  • Improved security and compliance: Utilizing Cloud Access Roles, often defined around specific personas in an organization (like developers, security engineers, etc.), ensure consistent, least-privileged access that is manageable at scale. Unmanaged,over-permissioned, or unused IAM roles can lead to security breaches or compliance violations.
  • Consistency across multiple clouds: Kion unifies the IAM constructs found in the major cloud providers – such as AWS IAM policies, Azure role definitions, and GCP IAM roles.

Implementing automated least-privileged access with Kion is done two ways:

  • Administratively Driven: Using Cloud Rules, you push down IAM policies at the OU and Project levels that are ‘non-negotiable’ - i.e., these policies must be true for all users who access those accounts. This integrates the Organization Chart concept in Kion, which dramatically reduces overhead costs associated with cloud privileged access management by leveraging inheritance and exceptions where necessary.
  • User Driven: Using Cloud Access Roles, you define IAM policies and permissions boundaries at the role level - i.e., these permissions are unique to that role itself. This brings autonomy to allow App Teams to manage their own IAM, while still ensuring that administrative policies are attached and governed automatically.

Some tools only take a User Driven approach. While this provides fine-grained permissions, it quickly becomes difficult to apply wholesale changes that can enforce least-privileged access across a large user base, thus creating “IAM sprawl” later on. For example, applying a new organization-wide rule that requires only approved AMIs can be done administratively through the Kion Organization Chart without having to modify multiple user permissions individually.

Therefore, when combining both the Administratively Driven and User Driven approach, you get a unique, least-privileged role that can easily be managed in Kion across multiple clouds and accounts.

cloud-rules-cloud-access-roles-venn-diagram.png

Cloud Access Federation

Kion goes a step further and enables users to federate into their cloud provider via a Cloud Access Role defined in Kion:

  • Users authenticate into Kion via their organization’s Identity provider (IdP) or single-sign on solution (SSO). 
  • Kion leverages groups and roles from your IdP to map that user’s identity into one or more approved Kion Cloud Access Roles
  • Users federate into their cloud accounts via the Cloud Access Role with the desired permissions applied and enforced.

To learn more about cloud access federation, please see Logging in to a Cloud Provider with a Cloud Access Role