Overview
Managing privilege in the Cloud (AWS, Azure, GCP) is fundamentally different from on-prem.
- Speed: Assets spin up/down in seconds.
- API Surface: Everything is an API. "Root" doesn't just reboot a server; it can delete the entire data center.
- Identity is the Perimeter: There is no firewall for the Management Console.
Cloud PAM focuses on governing the Control Plane (the Console/API) and the Data Plane (the VMs/Services).
Architecture
Reference Pattern: The Cloud Broker
Admins should not log in directly to Cloud Accounts with static users (IAM Users). They should federate via a central Identity Provider (IdP) and assume roles.
Diagram
Key Decisions
| Decision | Options | Recommendation | Notes / Gotchas |
|---|---|---|---|
| Identity Source | Cloud-Local Users, Federated IdP | Federated IdP | Never use IAM Users (long-lived keys). Use Roles assumed via Okta/AzureAD. |
| Root Protection | Vault, MFA Token | Physical MFA + Vault | The Root account should use a hardware MFA key (YubiKey) stored in a safe. |
| Permissions | Broad (PowerUser), Least Privilege | Least Privilege (JIT) | Broad roles lead to accidents. Use JIT to grant broad permissions only when needed. |
| CLI Access | Long-lived Keys, Short-lived Tokens | Short-lived Tokens | Force devs to re-authenticate (aws sso login) daily. No keys on disk > 12 hours. |
| Discovery | Manual, CIEM | CIEM (Cloud IAM) | You cannot manually audit JSON policies. Use a CIEM tool to find over-privileged roles. |
Implementation
Phase 1: Federation & Root
- Lock away the Root credentials.
- Set up Federation (AWS Identity Center / Azure AD).
- Delete all static IAM Users.
- Goal: One identity to rule them all.
Phase 2: Role Rationalization
- Create "Job Function" roles (Network Admin, ReadOnly, Developer).
- Move away from "AdministratorAccess" wildcard policies.
- Implement "Permission Boundaries."
- Goal: Stop using the hammer for everything.
Phase 3: JIT & Secrets
- Implement JIT for production write access (Azure PIM / AWS Temp Elevation).
- Move application secrets to Cloud Secret Managers.
- Goal: Zero Standing Privilege in the cloud.
Risks
- Metadata Service Attacks (SSRF): Attackers tricking a VM into giving up its Identity Role credentials (e.g., Capital One breach).
- Public Buckets: The classic misconfiguration. PAM doesn't fix this directly, but restricting who can make buckets public does.
- Service Principals: Non-human identities with "Contributor" rights that are never rotated.
- Multi-Cloud Sprawl: AWS IAM works differently than Azure RBAC. Applying one model to the other leads to gaps.
KPIs
- Root Usage: Number of logins to the root/master cloud account (Target: 0).
- JIT Rate: Percentage of high-privilege cloud roles assumed via JIT/PIM workflows vs. standing assignments.
- MFA Coverage: Percentage of privileged users/roles with MFA enforced (Target: 100%).
- Policy Violations: Number of CSPM/CIEM alerts for over-privileged or unused IAM roles.
