Stop risking cloud security with over-permissive Cloud Custodian roles

Configuring permissions for Cloud Custodian functions can be tricky. 

The tool is an open-source, stateless rules engine that manages Amazon Web Services (AWS) environments. It consolidates many of the dozens of tools and scripts that most organizations use to manage their public cloud accounts, allowing users to manage those cloud accounts with just one, open-source, lightweight, flexible tool. 

But without a decent guide, developers and cloud managers are often left to their own devices, leading to the use of over-permissive roles for these functions. This can introduce unnecessary risk to the cloud and leave the organization vulnerable to security breaches.

To understand why this is such a common problem, it's important to understand what Cloud Custodian functions are and why they're used. 

In short, Cloud Custodian functions are small pieces of code that are used to automate various tasks in the cloud, including anything from cleaning up old resources to monitoring for security violations.

The problem with these functions is that they require access to various resources in the cloud. The functions need to be given permission to access those resources — a permissions configuration process that can be both  difficult and time-consuming. This is especially true if the organization is using multiple cloud providers or has a complex cloud infrastructure.

The easy (but risky) way out

Given how arduous it is to configure Cloud Custodian functions, many developers and cloud managers opt for the easy solution: Namely, they provision for over-permissive roles. 

In other words, they give the functions more access than the functions really need in order to get the job done. This may seem like a quick and easy fix, but it introduces unnecessary risk to the organization's cloud infrastructure.

If a malicious actor gains access to one of these functions, they could potentially use it to access sensitive resources in the cloud. This could lead to data breaches, security vulnerabilities and other serious issues.

The best way to avoid this problem is to take the time to carefully configure the permissions for your Cloud Custodian functions. This means identifying the specific resources that the function needs to access and only giving them the access that they need to perform their tasks. This can be a time-consuming process, but it's essential to ensuring the security of your cloud infrastructure.

Another solution to this problem is to use a serverless scanner like the one offered by Contrast Security. 

Contrast’s Serverless Application Security set of tools scans your lambda function code and Custodian configuration and generates the set of required permissions, helping you to avoid over-permissive roles.

Using a serverless scanner can save you time and effort in determining the necessary permissions, and it can also help you to identify any potential security risks or compliance issues. 

Contrast Serverless can even suggest remediation actions to help you address any issues that are found.

Conclusion

Over-permissive roles for Cloud Custodian functions can introduce unnecessary risk to your cloud infrastructure. It's important to carefully configure the permissions for these functions to ensure that they only have the access that they need to perform their tasks. This can be a time-consuming process, but it's essential to the security of your cloud environment.

The Contrast platform can help you secure your lambdas and reduce the risk to your cloud infrastructure. Try it out today and see the benefits for yourself. Or schedule a demonstration with us!