Dynamic Permission Boundaries: A New Approach to Cloud Security
Episode description
In this episode, Ashish spoke with Kushagra Sharma, Staff Cloud Security Engineer, to delve into the complexities of managing Identity Access Management (IAM) at scale. Drawing on his experiences from Booking.com and other high-scale environments, Kushagra shares insights into scaling IAM across thousands of AWS accounts, creating secure and developer-friendly permission boundaries, and navigating the blurred lines of the shared responsibility model.
They discuss why traditional IAM models often fail at scale and the necessity of implementing dynamic permission boundaries, baseline strategies, and Terraform-based solutions to keep up with ever-evolving cloud services. Kushagra also explains how to approach IAM in multi-cloud setups, the challenges of securing managed services, and the importance of finding a balance between security enforcement and developer autonomy.
Guest Socials: Kushagra's Linkedin
Podcast Twitter - @CloudSecPod
If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:
- Cloud Security BootCamp
Questions asked:
(00:00) Introduction
(02:31) A bit about Kushagra
(03:29) How large can the scale of AWS accounts be?
(03:49) IAM Challenges at scale
(06:50) What is a permission boundary?
(07:53) Permission Boundary at Scale
(13:07) Creating dynamic permission boundaries
(18:34) Cultural challenges of building dev friendly security
(23:05) How has the shared responsibility model changed?
(25:22) Different levels of customer shared responsibility
(29:28) Shared Responsibility for MultiCloud
(34:05) Making service enablement work at scale
(43:07) The Fun Section