Third-party access is an underserved attack vector in AWS. It’s particularly hard to defend against, as guardrails like SCPs don’t apply to external identities, so there’s no central control. It’s also particularly risk-prone, as it’s easy to lose track of and often over permissioned, either from third-party access needs or lack of governance. Wiz reports 82% of companies unknowingly give 3rd parties access to all their cloud data, while Datadog warns that third-party access is the main vector for Confused Deputy attacks. Third parties tend to hang around with no structured offboarding; tracking them is the responsibility of a single person who forgets them in time.
Thanks to AWS’s recent innovation of Resource Control Policies (RCPs), you can now control third-party access risk in one place. RCPs are a new policy type that applies to the resources instead of principals, keeping identities outside an account from violating central access guidelines.
Sonrai has worked with AWS to fold RCPs into the Sonrai Cloud Permissions Firewall, extending permissions security from services, regions, and unused identities to third parties. RCPs might be new, but we’re experts in how they work!
In this webinar, we’ll cover:
