Least privilege is a ubiquitous concept in security, but applying it is easier said than done. Permissions are complicated and tuning them doesn’t rate high on most developers’ task list. Least privilege is also a moving target, it should adjust as application scope changes, but this typically requires manual review. Fortunately there is a better way. AWS provides a wealth of data that can be used to reason about true least privilege policies.
By using this data, the security team at Netflix creates rightsized policies automatically. This talk discusses the challenges of applying least privilege and the processes and open-source tool we used to overcome them.
Repokid open source is available at: https://github.com/Netflix/repokid/