Least privilege is a ubiquitous concept in security, but applying it is easier said than done. Permissions are complicated and tuning them doesn’t rate high on most developers’ task list. Least privilege is also a moving target, it should adjust as application scope changes, but this typically requires manual review. Fortunately there is a better way. AWS provides a wealth of data that can be used to reason about true least privilege policies.
By using this data, the security team at Netflix creates rightsized policies automatically. This talk discusses the challenges of applying least privilege and the processes and open-source tool we used to overcome them.
Repokid open source is available at: https://github.com/Netflix/repokid/
PS: Netflix is hiring https://jobs.netflix.com/jobs/869615
Travis works at Netflix on the Cloud Security team where he enjoys building automation that increases security while simultaneously boosting developer productivity. Travis is a core developer of the Bandit and Repokid open source projects and has presented at security conferences including BlackHat USA, Enigma, and re:Invent. He currently serves as the Bay Area OWASP Chapter Lead, a security advisor for startups, and a mentor for people looking to get in to security. Find Travis on twitter