As organizations start using more cloud services and resources, they end up with a staggering variety of cloud administrative consoles and interfaces they're responsible for. These are known collectively as the cloud control plane.
If not properly locked down, the cloud control plane could be vulnerable to a wide variety of attacks. There have been multiple cases of administrative privileges attacked and abused for cloud administrative consoles. For example, code hosting company Code Spaces was entirely shut down in 2014 due to its AWS management console being brute forced. In 2018, several exposed Kubernetes administrative consoles were hijacked to create container instances that mined cryptocurrency for the attackers, one belonging to auto manufacturer Tesla. These are just two of many examples.
To better secure the cloud control plane, it's important for enterprises to follow these five best practices.
1. Account inventory
Security admins must carefully define and inventory the users and accounts that need administrative access to the cloud environments their companies operate. While this sounds like a basic function of identity and access management, it can be surprisingly difficult to look at the roles and functions needed within an organization depending on the cloud service. Some SaaS services may have only one type of administrator role, for example, but most PaaS and IaaS clouds have a wide range of identity policies and privilege tiers available. Creating a sustainable least privilege model that works can take time and resources, but it is one of the most critical areas to focus on -- not only when setting up cloud services, but also for ongoing operations. It's a good idea to federate a central user directory, such as Active Directory, with single sign-on, either using on-premises identity gateways or an identity-as-a-service offering. This enables much simpler account provisioning and deprovisioning, as well as central oversight of all accounts irrespective of cloud service in use.
2. Multifactor authentication
For all administrative accounts, enable multifactor authentication (MFA), and strictly enforce its use. Code Spaces would not have been shut down if it had enabled MFA for its AWS administrative console access. Ideally, all users and accounts that need to interact with the cloud control plane should have MFA enabled, but this may interfere with some automation strategies. Look to enforce MFA wherever possible, but be sensitive to some types of service account automation that may break.
A third key aspect of securing the cloud control plane is to enable logging for the entire environment. This is easily accomplished in all major IaaS clouds with AWS CloudTrail, Azure Activity Log and Google Cloud Platform (GCP) Stackdriver. Security admins must monitor and evaluate these logs, of course, but enabling cloud-wide logging is the first step.
4. Restrict API access
Ensure any cloud API access is restricted to a small set of users and carefully controlled and monitored. AWS Command Line Interface, Azure PowerShell or GCP's gcloud API access can be readily abused, especially with privileged access. Restrict access to only trusted IP addresses or sources if this type of programmatic access model is enabled and in use.
5. Restrict some more
Security admins should restrict the use of any resources or regions that their organization isn't using in the first place. Identity policies can be used to restrict access to certain cloud services available from the provider, and most major cloud providers also enable you to turn off any geographic regions organizations don't use or plan to use.
A few more steps
While the above actions will minimize the threat surface security pros have to worry about, there are a few additional actions enterprises can take.
To help monitor and lock down the cloud control plane, security teams may also want to consider the use of cloud security posture management (CSPM) tools and services. These are especially useful in multi-cloud deployments. CSPM services can be integrated with many major cloud service providers to continuously scan and assess the state of control plane security controls, reporting vulnerabilities and suggesting best practices to a central dashboard.