Dismantling the Beast: Formally Proving Access at Scale in AWS
07-25, 11:30–11:50 (US/Eastern), Room 1

Identity and access management is proving to be one of the primary challenges in the cloud, at least partly due to the complexity of the systems involved. Nowhere is this more apparent than AWS, which currently tracks over 13,000 unique granular permissions and at least 7 methods to approve or deny a particular action. Maintaining an accurate picture of who can really do what is challenging at best when combined with role assumption and the scale of some cloud estates, reaching hundreds or thousands of AWS accounts.

This talk demonstrates IAMSpy, a new policy analysis engine designed to operate offline against large AWS organizations, and built on the same underlying technology powering AWS IAM Access Analyser. IAMSpy uses an SMT solver to formally prove whether an action by a given IAM entity is possible against a particular resource. SMT solvers resolve whether a given mathematical formula (in our case, the set of conditions that make up an account’s IAM configuration) is true for any set of input variables. This can then be used to resolve actions across entire organizations. The speakers will talk through several existing use cases and how to leverage it in your own projects, and discuss future directions for the tooling and technology.

Nick Jones is a principal consultant at WithSecure, where he leads the cloud security consulting team. He focuses on AWS security and attack detection in large, complex estates and forward-thinking cloud-native organizations. He has previously spoken at fwd:cloudsec, RSA, Def Con Cloud Village, t2 and others, and is an AWS Community Builder.

Mohit Gupta is a senior consultant at WithSecure, where he specialises in AWS and Kubernetes, and is the technical lead for all things containerisation and orchestration. He has previously spoken at Steelcon, Def Con Cloud Village and Texas Cyber Summit.