Key privileged access, roles, and policies

Although there may be thousands of roles, permissions, and policies, here are some examples of important ones to note. You may also find additional information on access permissions for each of the cloud providers at the noted URLs.

The following is a small sample of AWS ECS highly privileged roles, permissions, and policies that an auditor should be aware of. Learn more about specific access permissions and policies within AWS by going to https://docs.aws.amazon.com/IAM/latest/UserGuide/access.html:

  • iam:CreateUser
  • AmazonEC2ContainerRegistryFullAccess
  • Billing
  • AdministratorAccess
  • AWSConfigUserAccess

In addition to the built-in available privileged access, as an auditor, you should also be aware of the following within AWS IAM:

  • AWS IAM policy evaluation logic
  • Identity versus resource-based policies
  • The AssumeRole capability

You can find more in-depth information on these at https://docs.aws.amazon.com/IAM/ latest/UserGuide/id.html and https://docs.aws.amazon.com/IAM/latest/ UserGuide/best-practices.html.

A similar sample of Microsoft Azure highly privileged roles can be found in the following list, and you can get more details on roles and permissions at https://docs.microsoft.com/en-us/ azure/active-directory/roles/permissions-reference:

  • Global Admin
  • Security Administrator
  • Privileged role administrator
  • Cloud device administrator
  • Application administrator

Other things to note for Azure include the ability to create cybersecurity-risk policies that control enforcement of MFA and access to resources through Conditional Access and the ability for automated cybersecurity-risk-based reports and alerts based on machine learning (ML) detections for risk related to account compromise or fraud within the Security and Identity Protection blades. More information about these capabilities can be found at https://learn.microsoft.com/en-us/azure/ active-directory/identity-protection/.

To complete our list of sample privileged access across the major cloud environments, the following is a sample list of privileged roles within Google Cloud. You can learn more about these, and other roles, at https://cloud.google.com/iam/docs/understanding-roles:

  • Editor
  • Security Admin
  • Role Administrator
  • Super Administrator
  • Organization Administrator

Other things to note about GCP include IAM policy settings that can change whether or not inheritance is enforced. By default, policies are inherited and merged but be aware that a “deny” permission always takes precedence as part of any privilege or access assignment. You can learn more at https:// cloud.google.com/iam/docs/overview.

Now that we understand more about how permission can be managed for identities and identifying privileged levels of access (permissions, roles, and policies) within AWS, Azure, and GCP, let’s look at the management of a specific type of identity—devices.