Strengthen AWS Security with Okta Privileged Access

As cyberthreats continue to rise and businesses increasingly migrate to the cloud, safeguarding sensitive assets is paramount. Ensuring the protection of sensitive data has become a top priority for every kind of organisation. privileged access management (PAM) and cloud infrastructure entitlements management (CIEM) emerge as crucial security strategies, protecting critical access points to your organisation's most valuable resources. Let's explore how joint AWS and Okta customers leverage Okta Privileged Access to enhance their security posture.

With a multifaceted set of benefits, PAM and CIEM go beyond being security buzzwords.

Improving security posture 

PAM solutions guard against unauthorised access, privileged user abuse, and insider threats, bolstering security in today's threat landscape. Additionally, by managing cloud infrastructure entitlements, PAM solutions can protect access to native IaaS resources.

Enhancing compliance

PAM enforces access controls and maintains an audit trail, facilitating compliance with industry-specific regulations and data protection standards. Additionally, with CIEM functionality, least privilege access outcomes can be achieved when accessing IaaS resources.

Lowering cybersecurity insurance costs

PAM mitigates the risk of data breaches and cyberattacks, potentially reducing insurance premiums. CIEM further helps minimise the risk by ensuring that least privilege access is continuously maintained.

Enhancing IT efficiency

PAM streamlines IT operations, automating access requests, approvals, and rotations, freeing up IT teams for strategic initiatives.

Use-case scenario

Consider a scenario where a system administrator requires elevated privileges to perform maintenance on a critical AWS EC2 instance. The administrator requests temporary elevated privileges to access the Amazon EC2 instance using Okta Privileged Access. Okta verifies the request, ensuring it aligns with defined policies, and grants time-limited access only for the required tasks. Once the maintenance is complete, Okta automatically revokes the elevated privileges, minimising the window of potential security risks.

Safeguarding your AWS EC2 instances is one example of Okta Privileged Access and AWS  use cases we support. Okta Privileged Access can help you identify AWS permission sets and associated policies (i.e., entitlements). It allows you to determine which AWS IAM Identity Center users and groups can access AWS resources, including AWS RDS IAM authentication access to RDS database instances.

This powerful capability helps joint Okta Privileged Access and AWS customers implement several use cases, including

  • Monitoring for permission creep over time/detecting configuration drift over time.
  • Transitioning from a standing access model to a just-in-time access model by utilising Okta and AWS IAM Identity Center. 
  • Notifying administrators about the necessity to remove users from specific groups and establish access request and approval workflows to govern the membership of these groups. Check out this blog we did with AWS for more
  • Rightsising entitlements by providing visualisation of all entitlements and granting access to AWS resources. This allows admins to consolidate duplicate entitlements and/or remove unnecessary entitlements.
  • Satisfying compliance/audit requirements by providing easy-to-navigate visualisations/JSON data via API. This also provides insights into how access is granted to resources on demand.

Our current support structure delivers discovery and analysis for entitlements that grant AWS IAM Identity Center users the ability to connect to RDS database instances directly using RDS IAM Authentication. 

How does it all work?  

Let’s step through the process of discovery, risk identification, and the resulting recommendations. Admin recommendations are designed to be clear and actionable. 

Discovery

Using Okta-managed AWS Service Accounts (External ID) with minimal read-only permissions (via AWS IAM Roles), Okta can connect to AWS accounts and complete the following:

  • Locate all RDS instances
  • Determine which permissions each user has against each RDS instance

 

rMTDUa9M1DPojZc8xOGiqHJKY0ShYhr4gH9jBI84Dh DaEI6xRQ2aefmwZzmo84EX0t0WKc8yGznjeFhInzp  1 BZkyIvHoF8azU3yHB RhNRedOgeglMbj6HXiKdtH8rcVqUhTqR3QBZ iAL3DXtw

 

Identify risk

Now that our discovery is complete, our Okta Privileged Access CIEM provides admins with an overview of all AWS RDS user permissions that may pose a risk to your organisation.

 

trGlIIm54bwXAP40t2axvrwJoLO LgAWpiW VBbKtgrNf8eYTrpWMIJkeN SO6yCw6MYpvvW0 OpNlFRHjkFkq3 x1qW2xXw57HnkgADcE1T3SzcS4DkbpPbv16nOM 2Zju9fm9g LjpTmnw gYWWgw

Recommendations

After we’ve identified potential risky entitlements, we provide recommendations to admins to help remediate possible security threats. A great example would be identifying groups that appear to be over-permissed.

Going beyond Okta Privileged Access with Okta Workflows

Once discovered and identified, your next step is eliminating the risk. Use Okta Workflows to automate the remediation and review process. Easily read cloud entitlement analysis results to remediate via group memberships, entitlements, or directly in AWS using the entitlement actions in the AWS Multi-Account Access Connector. You can also alert appropriate parties with analysis results where manual review or action might be required.

What’s next?

Looking ahead, we plan on expanding CIEM in 2024. We’re adding capabilities for admins to author their own security policies, allowing end-users to request just-in-time cloud infrastructure entitlements. But this is just the beginning. 

Once this end-to-end capability is developed, we’ll support additional investments in AWS resource types. We’re targeting AWS services like S3 and many other managed services.

If these use cases resonate with you or your mandate is to safeguard critical resources, consider Okta Privileged Access. Don't hesitate to contact our Sales team for more details and start leveraging Okta Privileged Access today. 

Okta’s forward-looking statement applies to this blog