Test-Based Least Privilege Discovery on Cloud Infrastructure as Code

Infrastructure as Code (IaC) for cloud is an important practice due to its efficient and reproducible provisioning of cloud environments. On a cloud IaC definition (template), developers need to manage permissions for each cloud services as well as a desired cloud environment. To minimize the risk of cyber-attacks, retaining least privilege, i.e., giving a minimum set of permissions, on IaC templates is important and widely regarded as best practice. However, discovering least privilege on a target IaC template at one time is an error-prone and burdensome task for developers. One reason is that some actions of a cloud service implicitly use other services and require corresponding permissions, which are hard to recognize without actual executions on the cloud and burden the development process with iterations of permission setting and provisioned result checking. In this paper, we present a technique to automatically discover least privilege. Our method incrementally finds the least privilege by the iteration of testing on the cloud and (re)configuring permissions on the basis of test results. We conducted case studies and found that our approach can identify least privilege on Amazon Web Services within a practical time. Our experiments also show that the proposed algorithm can reduce the number of test executions, which directly affects the time and cost on cloud to determine least privilege, by 69.3% and 39.8% compared with the random and heuristic methods, respectively, on average.