A Step-by-Step Guide to S3 Security Features & Setup

As the gold standard for reliably storing files of varying types in the cloud, Amazon’s S3 has become synonymous with storage.

While this widespread adoption is a sign of a good developer experience and reliable storage across the board, it also presents a unique opportunity for attackers looking to exploit multiple targets due to S3’s widespread adoption.
In 2024, Amazon’s Sonaris denied 27 billion attempts to find unintentionally public S3 buckets, highlighting the scale of these threats. In this post, we’ll provide practical steps that you, as a developer or IT professional, can take to defend your S3 resources and avoid becoming another statistic in the following security report.

What is Amazon S3?

Amazon Simple Storage Service, or S3, is an object storage service that can store all kinds of objects, from images to large chunks of genome data.

S3’s 99.999999999% uptime in a month provides security and peace of mind for developers and operations teams. Its ease of use, SDKs in most modern languages, and incredible durability make it a reliable choice for storing all kinds of objects.

Beyond its uptime and developer experience, S3 offers a generous free tier and reasonable pricing for most use cases. The first 50 TB costs $0.023 per GB.

5 Critical S3 Security Vulnerabilities

Within S3’s simplicity also lies the potential for critical vulnerabilities to arise; here are some of the most critical ones to be aware of:

1. Configuration Mistakes

While you can configure buckets for practically any use case, there are countless ways to misconfigure them. A common mistake is setting overly permissive CORS policies, allowing any origin to make requests to your bucket. Another frequent oversight is failing to enable encryption in transit, leaving your data vulnerable during transfer. These misconfigurations often slip through because they don’t break functionality—everything works fine until it doesn’t.

Additionally, they can arise from a lack of adherence to zero trust principles, meaning implicit trust is placed in users and systems. The zero trust principle is a security concept that requires strict identity verification for every person and device trying to access resources on a network, regardless of whether they are inside or outside the network’s perimeter. One approach to mitigating these risks is implementing Just-In-Time (JIT) access, ensuring that users only have the necessary permissions for the specific tasks they need to perform and only for the duration of that task.

2. Malicious Uploads

If your S3 bucket is secure, don’t forget to consider what goes into it. Without proper file validation, attackers can upload malicious files such as viruses, trojans, or ransomware that your application serves to users. If an attacker uploads malware-infected files, they can use your legitimate application as a malware platform.

3. Lack of Visibility

While AWS provides a decent console interface, most developers in production environments can’t access it due to security policies, which creates a significant visibility gap. Teams often build their own front-end interfaces to manage and monitor their S3 resources. Without proper visibility, you might not notice unusual access patterns or unauthorized changes until it’s too late, hindering governance and compliance efforts.

4. Publicly Accessible Buckets

Publicly accessible buckets containing sensitive data remain the leading cause of S3-related breaches. It’s not just about misconfiguration; sometimes, it’s a legitimate requirement gone wrong, which could expose API keys, database credentials, secrets, and more. You may need to share some files temporarily and make the bucket public, planning to lock it down later. Then, someone uploads sensitive data without realizing it’s public, and suddenly, your company’s internal documents are indexed by search engines. It’s a mistake that’s embarrassingly common yet immensely effective for attackers.

5. Vulnerable Third-Party Integrations

The quest for better S3 management often leads teams to third-party tools and packages. You could find a great visualization tool for your bucket structure or a convenient package for handling uploads. The catch is these integrations often require your AWS access keys.

If that third-party service gets compromised, your keys are in the wild. Even worse, using a vulnerable package in your application could give attackers direct access to your S3 resources. Remember the event-stream incident? One compromised package can affect thousands of projects.

A Step-by-Step Guide to S3 Security Features

While the attack surface for S3 varies depending on your use case, Amazon is constantly building features to secure access to your S3 buckets. These features align with the zero trust principle of minimizing the attack surface by restricting public access by default. Below are some of the most useful ones.

Block Public Access Enhancements

AWS has significantly enhanced its public access blocks, which operate at both the account and bucket levels. You can enforce these blocks across your entire organization. Even if a developer accidentally opens a bucket to the public during testing, these enhanced blocks act as a fail-safe, preventing public access.

Access Control Lists

While AWS now recommends using bucket policies as the primary access control mechanism, Access Control Lists (ACLs) provide valuable functionality for specific use cases. ACLs can be used to specify which users or groups are authenticated to access particular objects within a bucket, providing granular control over access. These ACLs operate at the bucket and object levels, giving you precise control over who can access particular objects. The recent enhancements to ACLs make them particularly useful when you need to:

Grant cross-account permissions to particular objects without sharing entire buckets.
Support legacy applications that rely on the ACL model.

Source

Object Ownership

S3’s object ownership controls have become a powerful tool for preventing confused deputy scenarios. A confused deputy scenario occurs when a malicious actor tricks an authorized user or application into misusing their privileges to access or modify resources they shouldn’t be able to. By enforcing the bucket owner, you guarantee that all objects uploaded to your bucket belong to the owner, regardless of who uploaded them. This seemingly simple feature prevents access control headaches, especially when dealing with cross-account access or third-party uploads.

Amazon Macie

Macie has transformed from a nice-to-have tool for S3 security to a must-have. Its enhanced sensitive data detection capabilities automatically scan your buckets for information such as credit card numbers, API keys, and personally identifiable information.

Macie’s integration with EventBridge allows you to automate responses to sensitive data discoveries, such as automatically encrypting or quarantining suspicious objects.

Source

Storage Lens

Lens provides visibility into S3 usage patterns across your organization. Analyzing access patterns and configuration settings can spot potential security risks before they become problems. For instance, it can identify buckets with unusual access patterns or those missing critical security controls, such as encryption.

Object Versioning

While object versioning has been around for a while, its security features are well worth highlighting. Beyond backup and restore capabilities, versioning is an additional line of defense against malicious actions and accidental deletions. You can recover the previous versions if someone overwrites or deletes your objects. In a world where ransomware attacks increasingly target cloud storage, this feature has become a critical component of any S3 security strategy.

5 S3 Security & Setup Best Practices

Here are five essential S3 security best practices that will dramatically reduce your risk exposure:

Follow the principle of least privilege. Grant only the minimal permissions needed for each user, service, or application. Use IAM roles instead of long-term access keys whenever possible, and implement strict bucket policies that explicitly deny public access.

1. Restrict Access to Your S3 Resources

Beyond restricting access, consider implementing Just-In-Time (JIT) access. JIT access grants temporary privileges only when needed, minimizing the potential impact of compromised credentials or misconfigurations.

2. Embrace Logging

Enable AWS CloudTrail for all API activity and S3 server access logging for detailed request data. CloudWatch Alerts should also be used to automate the monitoring of these logs.

3. Implement Encryption Everywhere

Enable default encryption for all buckets to protect data at rest. You have three main options for encrypting your S3 objects:

SSE-S3 is the simplest option. In this option, AWS manages the encryption keys for you. It’s ideal for basic encryption needs where you don’t require granular control over your keys.
SSE-KMS: This option gives you more control over your encryption keys. You can create and manage your keys using the AWS Key Management Service (KMS), which allows access policies and track key usage.

Client-Side Encryption: With this option, you encrypt your data before uploading it to S3. This gives you complete control over your encryption keys and ensures that only you can decrypt your data. However, it also requires you to manage your encryption infrastructure.

Source

4. Enable Versioning with Lifecycle Policies

Versioning protects against accidental and malicious deletions or modifications. Still, it’s important to note that versioning alone does not prevent unauthorized access—it merely retains a history of your object versions. To control costs while maintaining security, you can pair this with lifecycle policies that automatically move older versions to cheaper storage classes or archive them after a defined period.

5. Use ACLs Strategically for Granular Control

While bucket policies handle broad permissions, leverage ACLs for object-level permission requirements. It provides an additional security layer, especially useful in multi-tenant environments or when granting temporary access to specific objects without exposing entire buckets.

S3 Access Without the Hassle with Apono

You can secure your S3 resources with the best practices we discussed above, including:

Restricting access to your S3 resources
Embracing logging
Implementing encryption everywhere
Enabling versioning with lifecycle policies
Using ACLs strategically for granular control

Robust security can sometimes restrict an organization’s engineers, but with tools like Apono, you can implement frictionless cloud access to resources.

While Apono doesn’t directly manage or secure S3 buckets, it helps organizations implement robust access controls for S3 resources. Apono integrates with AWS natively, allowing you to manage access to your S3 buckets, IAM roles and groups, EC2, EKS clusters, RDS instances, and more. With Apono, you can simplify the implementation of JIT access for S3 resources, allowing you to easily manage and control temporary permissions without hindering productivity.
Book a demo today to give Apono a try.

Apono Names Boone Quesnel as VP of Business Development & Alliances to Drive Strategic Growth

Quesnel will lead the expansion of Apono’s cloud ecosystem and partner program, accelerating market adoption.

New York, NY. March 11, 2025 – Apono, the leader in privileged access for the cloud, has appointed Boone Quesnel as Vice President of Business Development and Alliances. Boone brings extensive experience in developing and scaling cloud alliances and partner programs, adding critical expertise as Apono continues to expand. Boone will focus on building and enhancing Apono’s alliance and partner programs across cloud, channel, and technology partner programs to accelerate growth in new markets. Boone’s leadership is set to play a pivotal role in shaping the future of Apono’s business development, positioning the company for long-term success and innovation.

Before Apono, Boone served as Senior Director of Global Strategic Alliances and Business Development at Starburst, an AI and Data Analytics Platform Company, where he spearheaded strategic initiatives and drove growth through partnership programs across cloud and technology alliances. Prior to that, Boone was the Director of Cloud Alliances Business Development – US West at Rubrik, a cloud data management and security company. There, he played a pivotal role as a founding member of the company’s cloud alliance program, which served as a leading driver in growth before the company’s IPO. While at ServiceNow, he was responsible for go-to-market sales and re-launching their customer success program as a Client Success Executive.

“I’m thrilled to join Apono at such a pivotal moment in its growth. Strategic alliances and partnerships are key to scaling adoption, and Apono’s innovative approach to automated, just-in-time access management creates a powerful opportunity for ecosystem expansion,” said Boone Quesne, VP of Business Development and Alliances. “By deepening our cloud alliances, technology alliances, and channel partnerships, we can accelerate innovation, help enterprises securely scale, and drive broader market adoption of Apono’s unique value proposition.”

Since securing $15.5 million in Series A funding last October, Apono has continued to focus on growth. Boone is key to this strategy, scaling Apono’s go-to-market approach with a focus on channel partners, integrators, cloud, and tech/ISV alliances. He will develop Apono’s inaugural partner program to build momentum and credibility, aligning partnerships to drive customer value and enhance engagement. Additionally, Boone will manage Apono’s cloud alliance programs to foster mutual growth, identify new business opportunities, and drive market expansion. His strategic vision and leadership will strengthen Apono’s market presence and deliver innovative solutions, positioning the company for continued success in the competitive cloud access management market.

“Apono has experienced tremendous growth over the past year, and we’re excited to welcome Boone to the team to continue that momentum,” said Rom, CEO and Co-founder of Apono. “Boone’s extensive experience in building and growing cloud alliance and partner programs will be pivotal in driving our business development and expanding our reach. His strategic vision and leadership will accelerate our growth and extend the agility and security made possible by the Apono platform to more customers.”

For more information, visit the Apono website here: www.apono.io.

About Apono:

Founded in 2022 by Rom Carmel (CEO) and Ofir Stein (CTO), Apono leadership leverages over 20 years of combined expertise in Cybersecurity and DevOps Infrastructure. Apono’s Cloud Privileged Access Platform offers companies Just-In-Time and Just-Enough privilege access, empowering organizations to seamlessly operate in the cloud by bridging the operational security gap in access management. Today, Apono’s platform serves dozens of customers across the US, including Fortune 500 companies, and has been recognized in Gartner’s Magic Quadrant for Privileged Access Management.

Media Contact:

Lumina Communications

[email protected]

IAM Identity Center: The Essential Guide to AWS Identity Center

Managing AWS access shouldn’t feel like a full-time job, but for many teams, it does. Lost passwords, confusing role configurations, and endless back-and-forth discussions with the IT department regarding access requests slow down development and team productivity.

Poor access management is not just about efficiency; it’s also a security risk. Weak password policies, excessive user privileges, delayed offboarding, and insider threats can all expose your cloud environment to attacks. In fact, global spending on Identity and Access Management (IAM) hit $18.5 billion in 2024 as companies try to tackle these challenges.

AWS IAM Identity Center is designed to simplify access management, giving teams secure, centralized control over permissions. Understanding how AWS IAM Identity Center works is critical for understanding how to make access management easier and more streamlined.

What is AWS IAM Identity Center?

AWS IAM Identity Center (formerly AWS Single Sign-On, renamed on July 26, 2022) is an AWS service that helps teams manage access to multiple AWS accounts and applications from a single place. Instead of managing different login credentials or manually assigning permissions, the IAM Identity Center centralizes access management.

With IAM Identity Center, you can create new users, connect an existing identity provider (like Microsoft Entra ID or Okta), and integrate Kubernetes to manage access to your clusters and applications.

IAM Identity Center is completely free, and you only pay for the underlying AWS services your users access, making it a cost-effective way to streamline identity management across AWS environments.

When to Use AWS IAM Identity Center

IAM Identity Center solves real-world attack surface management challenges, streamlines access control, and improves identity governance. Here’s when your team should consider using it:

1. Your team spends too much time managing AWS access

Without the IAM Identity Center, admins must manually create IAM roles and policies for each user and AWS account. With the IAM Identity Center, permissions are centrally managed, reducing administrative overhead.

2. Developers need to access multiple AWS accounts regularly

Instead of switching between different IAM users and roles for each AWS account, the IAM Identity Center allows developers to log in once and securely access all assigned AWS environments without friction.

3. Security teams need better control over access and compliance

With temporary permissions and centralized policies, the IAM Identity Center helps enforce least privilege access and automates offboarding when employees leave.

4. You use external identity providers like Okta or Microsoft Entra ID

Instead of managing users separately in AWS, the IAM Identity Center integrates with external directories, allowing employees to log in with their existing corporate credentials.

5. Your organization is implementing a Just-in-Time access model

Granting standing access, where permissions remain active indefinitely, creates a significant security risk of compromised credentials. A Just-in-Time (JIT) access model mitigates this risk by granting temporary permissions only when needed for a specific task or timeframe. IAM Identity Center facilitates JIT access by allowing you to define fine-grained permissions and set session durations, enabling you to implement a robust JIT strategy across your AWS environment.

AWS IAM vs AWS IAM Identity Center: Similarities and Differences

AWS offers two primary services for managing access and identities: AWS Identity and Access Management (IAM) and AWS IAM Identity Center. The table below explains the differences and similarities between these two services.

Key Features of AWS IAM Identity Center

IAM Identity Center provides several features that make AWS access more secure, automated, and easy to manage.

1. Centralized Permission Management

Admins can assign permissions across multiple AWS accounts from one console.
It uses permission sets to define standardized access levels (e.g., AdministratorAccess, and ReadOnlyAccess) that can be consistently applied to users and groups.

2. Single Sign-On (SSO)

Users log in once and get access to multiple AWS accounts, services, and business applications (like Salesforce, Slack, and Zoom) without needing multiple credentials.
Supports Security Assertion Markup Language (SAML) 2.0, allowing integration with third-party SSO solutions.

3. Temporary Access

Traditional IAM users rely on long-term access keys, which can be compromised if exposed in code or logs.
IAM Identity Center eliminates this risk by issuing temporary, time-limited credentials, enabling a JIT access approach. JIT ensures that users only have access to resources when needed, reducing the window of vulnerability for standing privileges.

4. Access Control Options

While IAM Identity Center primarily uses Role-Based Access Control (RBAC), it can also be configured to support Mandatory Access Control (MAC) and Attribute-Based Access Control (ABAC).
Reduces role sprawl and enables automated, context-aware access management, making it easier to enforce least privilege policies.

5. Multi-Factor Authentication (MFA)

IAM Identity Center enforces MFA across all users and requires additional verification methods, such as FIDO security keys, TOTP (Google Authenticator), or push notifications.
Helps protect against compromised credentials by ensuring an extra layer of authentication before users can access AWS accounts.

How to Use IAM Identity Center

Setting up the AWS IAM Identity Center is straightforward. Here’s how you can get started.

Step 1: Enable IAM Identity Center

Sign in to the AWS Management Console using your AWS account credentials. Then, navigate to the IAM Identity Center and click the Enable button.

Once the IAM Identity Center is enabled, you will see the screen below with details like Instance name, Instance ID, Region, Instance ARN, Provisioning method, Identity Store ID, etc.

Note: If you’re using AWS Organizations, choose to enable the IAM Identity Center for your organization.

Step 2: Change Your Identity Source (Optional)

By default, the IAM Identity Center will use the Identity Center directory as its Identity source. However, you can change the Identity source and AWS access portal URLs from the Identity source tab.

IAM Identity Center provides three identity sources from which you can select.

Identity Center directory
Active Directory
External identity provider

When you click the Next button, you will see different configuration options based on your selection. For example, here are the options you will see if you select an External identity provider as the Identity source.

Step 3: Create Users and Groups

To create a new user, navigate to the Users section and click the Add user button.

You need to enter some mandatory details about the user, such as the:

Username
Password generation option
Email
First name
Last name
Display name

There are some optional details, such as:

Contact methods
Job-related information
Address
Preferences
Additional attributes

In the next screen, you need to add the newly created user to a user group (optional). The screen will show all the available user groups in your Identity Center, or you can create a new user group by clicking the Create group button.

If you choose the Create group option, a new tab will open where you can create a new user by entering a Group name. You can also add any existing users to that group.

Then, go back to the user create wizard and refresh the groups list. Now, you should see the newly created group listed.

Finally, select the group for which you need the new user, review the changes, and click on the Add user button to create the user. Now, you should see the newly created user in the Users tab and the newly created group in the Groups tab.

Step 4: Add Permission Sets

Navigate to Permission sets under the Multi-account permissions section. Click Create permission set and choose whether to use AWS-managed policies (e.g., AdministratorAccess, ReadOnlyAccess) or define custom permissions.

If you select the Predefined permission set, you will get a list of AWS managed policies to select from.

On the next screen, set the session duration, MFA requirements, and additional configurations based on your security needs, and click Create to finalize the permission set.

Step 5: Assign Users and Groups to AWS Accounts

In the IAM Identity Center console, go to the AWS accounts section. Select the AWS account where you want to assign permissions.

Click Assign users or groups, and choose the users or groups you want to grant access to.

Then, click Next and select the permission set that defines their access level.

Finally, click Next, Review, confirm the selections, and hit Submit.

Step 6: Accept the Invitation

Now, the user you invited should have already received an email with the login details below:

The next steps are a breeze since we selected the Send an email option, which provides the user with password setup instructions. The Accept invitation button will take you to the signup page, where you can set up a new password.

Step 7: Access AWS Accounts and Applications

Use the access portal URL in the email to log in to the AWS console using the username and newly created password. When the user logs in for the first time, the user will have to configure an MFA device.

In the access portal, the user can select the assigned AWS accounts and access the permitted services.

Take Full Control of AWS Access Management with Apono

Managing AWS access for multiple accounts and users is definitely a challenge. IAM Identity Center makes it easier by centralizing permissions, enabling single sign-on, and reducing the need for long-term credentials to keep access management simple and secure.

With Apono, you can take access management a step further by automating access approvals and eliminating manual intervention, enabling a Just-In-Time access model. Instead of jumping into the AWS IAM Identity Center console every time a user needs access, Apono allows teams to request and approve permissions directly from Slack. With Apono, you can seamlessly manage access to S3, IAM roles, EC2, EKS, RDS, and more without disrupting your workflow. Make AWS access management effortless by checking out how Apono integrates with AWS.

Just-In-Time (JIT) Access Management: The Essential Guide

Standing privileges are a ticking time bomb in your cloud environment—and the threat might be closer than you think. Every user with continuous access represents a potential vulnerability, and the financial, reputational, and legal reputations can be severe.

Stolen credentials were among the top three reasons hackers gain access to organizations’ systems. This is no podium to be proud of—standing privileges are vulnerable to identity-based attacks like social engineering and password spraying. There’s always the risk that hackers can get in and execute crippling data breaches.

Just-In-Time (JIT) access management provides the ultimate solution, granting access only when needed and for a limited time. JIT minimizes the window of opportunity for attackers to undertake their malicious activities, keeping your organization’s iron gates locked.

What is Just-In-Time (JIT) access management?

Just-In-Time (JIT) access management grants users precise access only when they need it and for the specific duration required to complete a task or project.

It’s like providing a temporary key to a specific room rather than giving someone a master key to the entire building. The “just enough, just in time” approach minimizes the risks associated with standing privileges, where users have continuous access that can be exploited if credentials are compromised.

With JIT, permissions are granted on a per-request basis, typically through an automated workflow. Using the JIT methodology to limit the window of time a user has access rights strengthens your security posture, simplifies compliance, and improves operational efficiency.

3 Types of Just-In-Time (JIT) Access

Ephemeral Access: A unique, temporary account is created specifically for the user’s task and then automatically deleted once the task is complete. Ephemeral access eliminates the risk of lingering privileges and minimizes the potential for unauthorized access—kind of like a disposable key that self-destructs after use.
Temporary Elevation: With this method, users retain their existing accounts but can request elevated privileges when needed. Access is granted for a specific duration and then automatically revoked, ensuring that users only have the necessary permissions for the task at hand.
Justification-Based Access: Users must clearly justify why they require privileged access. This justification is then reviewed against predefined policies to determine whether access should be granted. If approved, a privileged account is created with the necessary permissions and credentials, which are securely managed and rotated through a central vault.

Automated Just-In-Time (JIT) Access Management: Why You Need It

Manually handling access requests is like playing a game of whack-a-mole, where busy development and DevOps teams are constantly chasing the next urgent demand. Automated JIT provides a smarter solution, enabling you to reduce the manual overhead required when servicing requests. Instead, an automated JIT platform provides you with a seamless and fast solution to counter the risks of over-permissions.

Automated JIT platforms enable you to validate requests, grant permissions, and revoke access automatically without manual intervention. This smarter approach frees up your team to focus on more strategic tasks while ensuring a consistent and secure access control environment. With features like auto-expiring permissions and detailed reporting, automated JIT platforms (like Apono) give users the power to self-serve without compromising security. It’s a win-win for everyone.

How Automated Just-In-Time (JIT) Permission Management Can Benefit Your Business

Enhanced Security: By granting access only when needed and for a limited time, you significantly reduce the potential damage from compromised credentials and dangerous standing permissions.
Improved Productivity and User Experience: Automated JIT eliminates the friction and delays associated with manual permission management. Users get precisely the access they need when they need it.
Simplified Compliance: Automated JIT helps you meet regulatory requirements like HIPAA, SOC2, CRA, and GDPR by providing comprehensive audit trails and enforcing least privilege access.
Speed and Agility: Submitting an access request is time-consuming for the end user and equally slow for the teams manually approving it on the other end. Automatically requesting, granting, and revoking access removes the need to manually provision or change roles each time a developer needs new access privileges in cloud resources, applications, or data repositories.

6 Best Practices for Enabling Automated Just-In-Time (JIT) Access Management

JIT access is a powerful security mechanism, but it requires careful planning and execution. Here are six best practices to guide your implementation:

1. Prioritize and Secure Critical Assets

Begin by identifying the most privileged accounts and assets in your environment, such as:

Domain Administrators: Users with domain-wide admin rights.
Enterprise Admins: Users with control over all domains, users, groups, and organizational units.
Root or Administrator Accounts: Users with the highest level of access to systems and applications.
Database Administrators (DBAs): Users with privileged access to databases.
Cloud Service Accounts: Accounts with elevated permissions in cloud environments (e.g., AWS root account).
Accounts with Access to Sensitive Data: Users who can access confidential customer data, financial records, or intellectual property.

Conduct a thorough risk assessment to identify and prioritize your most critical assets—vulnerability scanning tools and penetration testing can help uncover potential weaknesses. At this point, you can implement JIT access controls for these high-risk targets first, then gradually expand coverage to other areas.

2. Embrace Granular Access Control with RBAC and ABAC

Leverage role-based access control (RBAC) and attribute-based access control (ABAC) to define fine-grained access policies. RBAC allows you to assign access based on roles, while ABAC enables dynamic permission assignment based on user attributes and context:

RBAC: Assign access based on predefined roles within your organization. For example, a “Marketing Manager” role might have access to marketing-related tools and data, while a “Developer” role would have access to code repositories and development environments.
ABAC: Consider attributes like user location, device type, time of day, and data sensitivity to add context to your access control. For instance, you could restrict access to financial systems from outside the corporate network or during non-business hours.

This combination ensures that users only have the necessary access for their specific responsibilities.

3. Establish Clear Policies for Temporary Access

Define clear criteria for granting temporary access, including:

Valid Accounts: Specify which accounts are eligible for temporary access.
Access Duration: Set time limits for temporary access, ensuring permissions are automatically revoked after a predefined period.
Time-Based Restrictions: Implement time-of-day or day-of-week restrictions to limit access during sensitive periods.
Approval Workflows: Define approval processes for temporary access requests, ensuring appropriate personnel review and authorize requests.

For example, you can limit access to certain resources during specific hours or days, minimizing the vulnerability window.

Implement Comprehensive Auditing and Monitoring

Maintain a detailed audit trail of all access activities—some automated JIT platforms will take care of this for you. Alternatively, you can consider using a Security Information and Event Management (SIEM) system to centralize and analyze access logs.

For example, automated JIT platforms provide visibility into user logins/logouts, resource access, privilege escalations, failed access attempts, and more. These insights into user behavior help detect anomalies and ensure compliance with regulatory requirements like SOC2 and PCI DSS.

Implement a Credential Management System

Implement a robust credential management system that automatically:

Rotates Credentials: Regularly change passwords and access keys to minimize the impact of compromised credentials. You could do this on a scheduled basis (e.g., every 90 days) or triggered by events like user activity or suspected compromise.
Supports Multi-Factor Authentication (MFA): Require users to provide multiple forms of authentication to verify their identity, such as one-time passwords (OTPs), biometrics, and security keys.
Leverages Different Credential Types: Explore different types of credentials for your organization beyond traditional passwords, including access keys, certificates, or tokens.

Another tip is to ensure a credential management system integrates with your existing identity providers, such as Active Directory or cloud-based identity services.

Choose an Automated Access Management Platform

An automated access management solution like Apono simplifies JIT implementation and enforcement. For example, Apono’s key features include:

Automated Access Requests and Approvals: Users can request access to resources through Apono’s integrations with platforms like Slack, and approvals can be automated based on predefined policies.
Automated Permission Revocation: Apono automatically revokes permissions after a specified duration or when they are no longer needed, eliminating the risk of standing privileges.
Integration with Existing Systems: Apono integrates with various identity providers (e.g., Okta, Azure AD), cloud platforms (e.g., AWS, GCP, Azure), and DevOps tools.
Detailed Reporting and Analytics: Apono provides comprehensive audit logs and reporting capabilities, giving you visibility into access patterns and potential security risks.

With our platform, you can confidently enforce least privilege, minimize your attack surface, and maintain a strong security posture.

Automate Just-In-Time Access and Secure Cloud Assets with Apono

Traditional approaches that rely on standing privileges are no longer sufficient in today’s dynamic threat landscape. Just-in-time access enables your organization to strengthen its security posture, maintain continuous compliance, and support teams without sacrificing productivity.

Apono significantly reduces risk by eliminating standing privileges and preventing lateral movement within your cloud environment. Our cloud-native access governance platform delivers fast, self-service access that’s precisely tailored to each user’s needs, granting just enough permissions for just the right amount of time.

With Apono, you gain complete visibility into who has access to what, enforce granular access controls at scale, and strengthen your overall security posture.Ready to experience the power of Apono? Book a demo today and see how we can transform your cloud security.

Top 10 IAM Tools by Category

The explosion of remote work and digital transformation has unleashed a tidal wave of new systems and software. Even smaller or ‘old-school’ companies are juggling more applications than ever before to keep pace with collaboration and automation in the remote age.

Yet, every exciting new system requires login credentials, secrets, and access privileges, creating potential entry points for cybercriminals. IBM’s 2024 Data Breach Report found that phishing and stolen or compromised credentials were the two most prevalent attack vectors, leading to significant financial impacts.

As a result, IAM tools act as the unsung heroes of modern working, providing the control and oversight needed to ensure that only authorized users access the right resources at the right time.

What are IAM tools?

Identity and Access Management (IAM) tools provide a robust framework to ensure that only authorized users access sensitive data and critical systems while also streamlining employee requirements and boosting productivity.

These tools offer a range of powerful features, including automated user provisioning, multi-factor authentication (MFA), single sign-on (SSO), and a centralized directory to manage user identities and enforce security policies.

These platforms work by authenticating users (confirming who they are), authorizing access (determining what they can do), and keeping thorough audit logs of system interactions. Through role-based access control (RBAC), IAM tools automatically grant or restrict permissions based on job roles, simplifying administration and ensuring that users have the appropriate level of access.

Benefits of IAM Tools

Here are some key advantages of incorporating IAM tools into your infrastructure:

Protect against unauthorized access by implementing robust authentication and authorization protocols.
Meet regulatory requirements with audit trails and policy enforcement.
Automate user provisioning, saving time and reducing human error.
Easily manage and scale user access as your organization grows.
Improved user experience by simplifying login processes with single sign-on (SSO) features.

Key Features to Look for in an IAM Tool

When evaluating IAM tools, consider the following features:

User Lifecycle Management: Automates the creation, modification, and deletion of user accounts across systems.
Role-Based Access Control (RBAC): Simplifies access management by assigning permissions based on job roles.
Directory Services: A centralized repository for user identities and attributes.
Centralized Management Console: A single interface to manage users, groups, policies, and configurations.
Integration Capabilities: Seamlessly integrates with existing IT systems, including HR systems, cloud applications, and on-premises infrastructure.

Top IAM Tools by Category

Cloud-Native IAM

1. AWS IAM

Source

AWS Identity and Access Management (IAM) is a cloud-based service that helps you manage and control access to AWS resources.

Main Features:

Control access to AWS resources at a granular level.
Manage identities across all of your AWS accounts from a single location.
Cross-account access without creating separate IAM users for each account.

Best For: Managing granular permissions and access control within the AWS ecosystem.

Price: AWS IAM is free to use. Charges may apply for IAM users accessing other billable AWS services.

Review: “[AWS] IAM makes access management very easy and enables it pod and application level.”

2. Apono

https://www.apono.io/wp-content/uploads/2024/09/cpa-mini-dashboard-1-2.png

Just-in-time access is a key element of IAM, which helps organizations mitigate risks of attacks on identities by reducing the attack surface for users who access cloud resources. Apono enables users to be granted access on demand and is the perfect tool to automate just-in-time (JIT) access management.

Main Features:

Automated Just-In-Time (JIT) access flows.
Auto-expiring permissions to mitigate privileged access risks.
Deploys in under 15 minutes.
Enables on-demand, self-serve, granular permissions directly from Slack, Teams, or your CLI.
Break-glass and on-call access flow for faster production issue resolution.
Streamline deployment with cloud-native connectors and infrastructure as code (IaC) to auto-scale with your environment.

Best For: Cloud-native organizations looking to implement automated Just-In-Time (JIT) access and least privilege security.

Price: Contact Apono for customizable pricing plans tailored to your needs.

Review: “Ideal for startups that want to onboard operational excellence DevOps in a quick turnaround! […] As head of IT, It gives me peace of mind when I know that only the right users get proper access to the system’s DB at the right time.”

3. Google Cloud IAM

Source

Google Cloud IAM provides granular access control and visibility for Google Cloud Platform (GCP) resources.

Main Features:

Manage IAM policies using the Google Cloud Console, APIs, and command-line tools.
Integrate with Cloud Identity to manage user identities and access across Google Cloud and other applications.
Automated access control recommendations based on machine learning and security best practices.

Best For: Managing granular permissions and compliance tools within GCP.

Price: IAM is included with your Google Cloud account at no additional cost.

Review: “Easy to use, flexible, and the best thing is we can integrate this with all Google services.”

4. Microsoft Entra ID (formerly Azure AD)

Source

Microsoft Entra ID, formerly Azure Active Directory, is an IAM solution by Microsoft running, offering strong authentication and risk-based Conditional Access policies.

Main Features:

Single sign-on (SSO) for fast, easy sign-in experience across a multicloud environment.
Employees can securely manage their own identity with self-service portals, including My Apps and My Groups.
Manage all Microsoft Entra multicloud identity and network access solutions in the unified admin center.

Best For: Identity management across cloud and on-premises systems for businesses using Microsoft 365 or Azure.

Price: Microsoft Entra ID P1 plans start at $6, P2 at $9, and Entra Suite at $12 per user/month. Each plan includes a free tier.

Review: “Microsoft Entra is one of the best solutions Microsoft offers for verifying and identifying enterprise technology assets such as laptops and mobile phones.”

5. Wiz

Source

Wiz is a cloud infrastructure security platform that contains IAM governance capabilities.

Main Features:

Auto-generated least privilege policies across the cloud.
Security posture management for AI models, training data, and AI services.
Query cloud entitlements based on identity, access type, and resource.

Best For: Securing cloud infrastructure with automated risk prioritization and anomaly detection, rather than strictly IAM.

Price: By inquiry.

Review: “Wiz has been a most valuable solution for our organization in terms of cloud security. They regularly change with new features and keep us updated with the newest threats.”

Hybrid IAM

6. OneLogin

Source

OneLogin is a cloud-based Identity and Access Management platform that provides a single unified portal for users to access both cloud and on-premises applications.

Main Features:

Single sign-on (SSO) for cloud and on-premises apps.
Offers various MFA options, like authenticator apps, SMS codes, and security keys.
Automated user onboarding and offboarding and managed changes to user roles and permissions.

Price: OneLogin offers pricing plans for Workforce, B2B, Customer (CIAM), and Education Identity use cases. Advanced and professional tiers start at $2 per user/month. Free trials and custom plans are also available.

Best For: Organizations with hybrid IT environments looking for SSO and MFA across cloud and on-premises applications.

Review: “Being able to remember one passphrase that gets me access to all my corporate applications is as simple as it can get.”

7. Okta

Source

Okta is a leading independent identity provider that offers a broad set of IAM capabilities like SSO, MFA, and identity threat protection.

Main Features:

Single sign-on (SSO) and multi-factor authentication (MFA) for fine-grained authorization protocols.
Universal Directory for user management.
7,500+ pre-build and ready-to-use integrations.

Best For: Ranking in Gartner Peer Insights.

Price: Okta provides pricing plans for Workforce Identity Cloud (with MFA and Universal Directory) for $2 per user/month and Customer Identity Cloud for B2B, B2C, and enterprise app authorization.

Review: “Not only is it user-friendly with a modern interface, but it also [has] high-security standards and supports working with thousands of users simultaneously.”

8. SailPoint IdentityIQ

Source

SailPoint IdentityIQ is an identity governance platform that helps organizations manage access to on-premises and cloud environments.

Main Features:

Tracks user activity, access changes, and certification results, providing evidence of compliance.
Integrates with cloud apps, on-premises systems, and databases.
Facilitates role-based access control (RBAC) by allowing organizations to define roles and assign permissions to those roles.

Best For: Large enterprises in highly regulated industries that require advanced identity governance and separation-of-duties enforcement.

Price: By inquiry.

Review: “Identity IQ from Sailpoint has been a boon for us in managing the accounts of all our users at one spot and simplifying the process of provisioning and de-provisioning.”

On-Premises IAM

9. CyberArk

Source

CyberArk’s Workforce Identity solutions focus heavily on Privileged Access Management (PAM) and identity security. While they offer broader identity management capabilities, their core strength and focus is on securing privileged access.

Main Features:

Vaulting, aka. securely storing and isolating privileged credentials (passwords, keys, secrets) to prevent unauthorized access.
Granting temporary privileged access only when needed, reducing the attack surface.
Controlling and monitoring privileged sessions, including recording and auditing activity.

Best For: Enterprises managing a high volume of privileged accounts.

Price: By inquiry.

Review: “CyberArk provides you with an easy user interface to connect with your machines. Also, it gives the environment for scalable security and RBAC.”

10. Oracle Identity Management

Source

Oracle Identity Management offers integrated IAM capabilities for both cloud and on-premises Oracle platforms (so it could really go into two categories).

Main Features:

Automating the provisioning, deprovisioning, and modification of user accounts across various systems.
Regular reviews and certifications of user access rights to ensure compliance.
Enforcing policies to prevent conflicts of interest and fraud by ensuring that no single user has excessive privileges.

Best For: Organizations using Oracle apps and databases.

Price: By inquiry.

Review: “Enterprise-grade IAM solution with on-premise and cloud offerings, and it is well suited for large-scale implementations.”

Apono: The Standout Solution

IAM tools are necessary for the security of modern enterprises, improving the security and efficiency of processes like user provisioning and just-in-time access through automation. These IAM solutions provide granular access controls, least privilege enforcement, and strong auditing and reporting capabilities to help monitor activity and identify threats.

Apono stands out with its automated JIT access flows, self-serve permissions, and fast deployment, making it an ideal choice for organizations prioritizing security and productivity. Visit Apono today to transform your IAM strategy.

How to Implement Zero Trust: A Step-by-Step Guide

Some traditional security methods are no match for evolving cyber threats, which is why zero trust is an essential addition to every organization’s arsenal. Unlike perimeter defenses, zero trust secures access at every level, verifying every device and user continuously to create a security posture that is far harder to penetrate.

Gartner reports that 63% of organizations now use a zero trust strategy, a shift driven by the rising costs and frequency of successful breaches. If your organization hasn’t made the transition yet, now is the time to start. This guide walks you through the practical steps of zero trust implementation, helping you build a resilient security strategy that is ready to handle today’s threats.

What Zero Trust Implementation Really Means

Zero trust is a cybersecurity strategy that shifts away from the old perimeter-based defenses to a model where trust is never assumed, regardless of whether they are within or outside of the network perimeter. The framework insists on verifying every access request for users and devices, integrating tightly with the principle of least privilege.

Beyond least privilege access, this strategy involves principles like micro-segmentation of access, multi-factor authentication (MFA), and continuous monitoring of the security environment. Each principle reduces the attack surface, prevents unauthorized access, and minimizes the potential impact of breaches.

Zero trust is part of a broader, proactive approach to cybersecurity that helps iron-clad organizations’ assets. Implementing zero trust principles also demonstrates a commitment to risk mitigation, which puts you in the good books of cyber insurance companies and regulatory bodies.

Challenges in Zero Trust Implementation

Implementing zero trust is a major shift in how organizations handle network security. It operates on the simple rule of “never trust, always verify.” While that sounds simple, integrating this strategy into existing systems comes with its own set of challenges:

Mixed Infrastructure: Many organizations operate with a mix of cloud-based services and on-premises equipment. This may include legacy systems not originally designed with zero trust in mind.

Cultural Hurdles: Adopting a zero trust approach usually requires a cultural change within your organization. Resistance can come from both IT teams accustomed to traditional security methods and users accustomed to less stringent access controls.

Vendor and Solution Sprawl: There’s no shortage of security tools promising to secure your network. Organizations might find themselves wrestling with multiple overlapping tools that don’t integrate well. This lack of interoperability can lead to security loopholes that attackers can exploit.

Cost Concerns: Implementation often requires major investment in new technologies and the training or hiring of security specialists. The costs can be a barrier for many organizations, especially if there’s a need to upgrade or replace incompatible legacy systems.

How to Implement Zero Trust in 10 Steps

1. Identify and Define the Attack Surface

Instead of a broad attack surface, focus tightly on defining the “protect surface” by identifying assets that are absolutely critical to your operations. This step involves not just a simple listing but an in-depth analysis using advanced asset discovery tools that classify data, applications, and systems based on their value and risk exposure. Maintain an updated inventory at all times and leverage automated scripts or APIs to integrate these findings with your security systems.

2. Map Transaction Flows

You’ll need to deeply understand and document how data moves within your network. Identify which applications and services interact and the nature of their interactions, and you can consider network traffic analysis (NTA) tools to help visualize and manage these flows.

Analyze the pathways through which data travels and pinpoint potential vulnerabilities or unnecessary access privileges. This mapping will help you implement precise controls and reveal the most effective points to apply zero trust protections to prevent data loss throughout its lifecycle.

3. Architect a Zero Trust Network

Use micro-segmentation to divide your network into smaller, isolated zones (virtual network technologies like VLANs, firewalls, and software-defined networks (SDN) can help). SDN can adapt access controls dynamically based on real-time network traffic and threat assessments.

Each zone should operate under the strictest access controls, limiting user and device access to the bare minimum required to perform specific functions. This architecture restricts lateral movement within the network and simplifies the management of security policies by reducing the complexity of each segment.

4. Create Zero Trust Policies

To build robust zero trust policies, you can use the Kipling Method. This method examines each aspect of the network interaction to ensure every access is fully justified and secured:

Who: Identify who is making the request. The policy should stipulate that credentials must be verified against an active directory or a similar trusted source to confirm that the person seeking access is who they claim to be.

What: Determine what resources they are trying to access. Policies should limit user access to resources essential for their specific roles through role-based access control (RBAC).

When: Define when they are allowed to access these resources. This stipulation can include time-based access controls restricting access to sensitive resources outside defined business hours or during unusual activity periods.

Where: Specify where the access requests are coming from. Geo-restrictions and IP whitelisting can limit access from regions or networks that are not pre-approved.

Why: Understand why they need access. Policies should require that every access request includes a justification logged for audit purposes. The reason should, of course, match the user’s role and current tasks.

How: Establish how they will access the systems. Stipulate using secure connection protocols such as VPNs, HTTPS, or end-to-end encryption to mitigate data interception or unauthorized access risks.

5. Achieving Least Privilege with Just-In-Time Access

Least privilege is a fundamental zero trust building block that limits users’ access rights to only the resources required for their job duties. The attacker’s access remains severely limited even if an account is compromised. Just-In-Time (JIT) access is a crucial technique for implementing least privilege in modern cloud-native environments—instead of granting standing permissions, which remain active even when not needed, JIT grants temporary access only when needed for a specific task.

The dynamic approach of granting access on a per-request basis helps organizations drastically shrink the window of opportunity for malicious activity. JIT reduces the attack surface by minimizing the number of users with standing access to sensitive resources. It improves overall security posture by automatically revoking temporary permissions after the task is completed. In addition, JIT simplifies compliance audits by providing a clear record of who had access to what and when.

6. Enforce and Automate Policies

The next step is guaranteeing that your policies are enforced consistently and automatically. You’ll likely need a few automation platforms and tools that address different aspects of your zero-trust policies. Automate as much as possible to reduce the need for manual intervention and the associated risks and guarantee that policies are applied uniformly across all network touchpoints.

7. Deploy Endpoint Verification

Confirm that all devices meet your security standards, like running up-to-date patches and active antivirus, before granting access. Non-compliant devices should be flagged or blocked to protect your network from vulnerabilities introduced by outdated or insecure endpoints. This approach creates a consistent security baseline across all devices accessing your resources.

8. Continuous Monitoring and Analytics

Rather than relying on occasional audits or static assessments, a security information and event management (SIEM) system with behavioral analytics provides a continuous, real-time view of your environment’s activity. You can establish baseline profiles for normal user activities and quickly flag deviations that could indicate a security incident.

9. Conduct Regular Security Assessments and Response Drills

Establish a routine of continuous security assessments, including automated vulnerability scans and periodic red team exercises. Use the insights gained to refine and adapt your zero trust policies and controls over time.

10. Educate and Train

Make sure everyone on your team is in the loop and sharp on the latest in cybersecurity, including the newest threats and zero trust tactics. Offer regular, role-specific training that doesn’t just talk theory but ties in with real incidents to show what those threats look like in the wild.

For example, simulate a phishing attack to demonstrate how easily credentials can be compromised and then guide employees on how to identify and avoid such threats. This practical approach helps them understand the importance of zero trust principles like ‘never trust, always verify’ and encourages them to remain vigilant against potential attacks.

Final Thoughts…

All in all, verifying every user, device, and application before granting access minimizes the risk of breaches and lateral movement within your network. Zero trust helps dramatically reduce the potential for data loss and system compromise, which could save your organization thousands (or even millions) of dollars wasted on security incidents.

While zero trust requires an upfront investment in tools and training, the long-term cost savings from preventing breaches, downtime, and regulatory fines make it a smart financial and security strategy for every organization.

Using Apono As Part of Your Zero Trust Strategy

The “never trust, always verify” guiding principle is a simple one, but building a zero trust foundation is not. Managing permissions and access for all devices and users, closing security gaps, and ensuring that every tool works in unison toward a common goal can quickly become complicated and resource-intensive.

Apono is a smart addition to any zero trust strategy to address the challenges of managing access and permissions in complex environments. With automated Just-In-Time access and auto-expiring permissions, Apono minimizes risks from standing privileges while maintaining user productivity.

Apono’s robust auditing capabilities, automated access management, and granular control make it easier to meet compliance requirements like HIPAA, CCPA, and SOC2, and maintain a clear view of who has access to what and why.
Learn how Apono can simplify your access management and strengthen your security by booking a demo.

Kubernetes Secrets: How to Use Them Securely

Storing sensitive values is a problem as old as software itself. In 2016, Uber experienced a massive data breach that exposed 57 million users’ personal information—all traced back to a hardcoded AWS credential discovered in a GitHub repository.

While we have successfully established that hardcoding secrets such as API keys and passwords is bad practice, correctly storing them is a different story, and the issues from 2016 are still prevalent today (8 years later…). In a 2024 report by Sophos, 77% of attacks saw compromised credentials as an initial access method and 56% as a root cause.

With organizations going cloud-native and moving their workloads to Kubernetes (k8s), it is only right that they know how to avoid these issues in Kubernetes. In this post, we will discuss Kubernetes secrets—the Kubernetes built-in security resource—and how to use them properly to secure your applications on Kubernetes.

Kubernetes secrets: What are they, and what are they used for?

Secrets in Kubernetes are a resource used to store sensitive values or credentials. In practice, this removes the need to hardcode your API keys within your deployment manifest or pod definition. Out of the box, Kubernetes provides eight types of secrets, each with a unique function. Here’s a breakdown:Each secret type enforces specific data field requirements, helping prevent configuration errors when storing different credentials.

Opaque: The default type for storing arbitrary data like API keys or application passwords. Example: storing a third-party API key for a payment gateway.
kubernetes.io/service-account-token: Stores tokens that pods use to interact with the Kubernetes API. Example: allowing a monitoring pod to query cluster metrics.
kubernetes.io/dockercfg: Contains credentials for private container registries using the legacy Docker config format. Example: pulling images from a private Docker Hub repository.
kubernetes.io/dockerconfigjson: Similar to dockercfg but uses the newer JSON config format. Example: authenticating with multiple private container registries.
kubernetes.io/basic-auth: Stores credentials for HTTP basic authentication. Example: protecting an internal dashboard with username/password.
kubernetes.io/ssh-auth: Holds SSH credentials. Example: allowing pods to clone private Git repositories.
kubernetes.io/tls: Contains TLS certificates and private keys. Example: setting up HTTPS for your ingress endpoints.
bootstrap.kubernetes.io/token: Used during node registration to authenticate new nodes joining the cluster. Example: automating node addition in an auto-scaling cluster.

Why You’d Use Kubernetes Secrets

One excellent example of how secrets can be used is the popular Kubernetes tool, cert-manager. This controller automatically generates TLS certificates and stores them back into the cluster as kubernetes.io/tls type secrets, which your workloads can then use to encrypt traffic. In addition, you can also use Kubernetes secrets to:

Store database credentials that your applications need to establish connections, eliminating the need to hardcode these values in your application code or environment variables.
Manage API keys for external services like payment processors, email providers, or monitoring tools your applications depend on.
Store SSH keys needed by CI/CD pipelines to clone private repositories during build processes.
Keep registry credentials for pulling container images from private repositories, ensuring your deployments can access proprietary container images.
Store OAuth tokens and other authentication credentials used by microservices to communicate securely within your cluster.
Maintain JWT signing keys used by authentication services to generate and validate user tokens.

Are there any limitations to using Kubernetes secrets?

Lack of Encryption by Default

While Kubernetes provides a good range of choices for secret management, it still has a few limitations, the largest being the lack of encryption by default. While Kubernetes does support encryption at rest through KMS providers, this requires additional configuration and maintenance.

Kubernetes Secrets are Immutable

Another limitation is that Kubernetes secrets are immutable by default. Immutable means that they cannot be modified after creation. This immutability is intended to promote stability but creates some challenges when you need to rotate credentials or update sensitive values. Each update requires creating a new secret and updating all references to it.

Limited RBAC Configuration

While functional, Kubernetes’s built-in RBAC (Role-Based Access Control) system offers limited granularity for secret access control. This factor can become a challenge in larger organizations where different teams need varying levels of access to different secrets.

For example, you cannot grant a team read access to specific fields within a secret—they either get access to the entire secret or none at all. This limitation often forces teams to create separate secrets for each access level, increasing management complexity.

How to Use Kubernetes Secrets Securely

Securely using secrets in Kubernetes often requires a combination of techniques and tools. In this section, we will explore a few best practices for using them.

Enable Encryption at Rest

As we mentioned earlier, Kubernetes secrets are stored as plaintext in etcd by default. While this provides convenience, enabling encryption at rest for production environments is crucial. Configure a KMS provider to encrypt your secrets. While no team wants their cluster breached, this adds an extra layer of security and one more hurdle an attacker must overcome.

A WAF (Web Application Firewall) complements these measures by providing an additional layer of protection specifically designed for web traffic, regardless of how secrets are managed within the cluster.

You can configure encryption at rest using the EncryptionConfiguration resource, which typically looks like this:

apiVersion: apiserver.config.k8s.io/v1

kind: EncryptionConfiguration

resources:

  - resources:

      - secrets

    providers:

      - aescbc:

          keys:

            - name: key1

              secret: <32-byte-key>

The resources.resources field is an array of Kubernetes resource names (resource or resource.group) that should be encrypted, such as Secrets, ConfigMaps, or other resources. The providers field can be used to specify one of the supported providers.

Implement RBAC Controls

While not the most robust, there are ways to ensure you follow the principle of least privilege with your secrets. Here is a quick example:

Create a cluster role:

kubectl create clusterrole secrets-manager \

    --verb=get,list,create,update \

    --resource=secrets \

    --namespace=production-apps

Create a dedicated service account:

kubectl -n production-apps create serviceaccount app-secrets-manager

Bind the role to the service account with a cluster role binding:

kubectl create clusterrolebinding manage-production-secrets \

    --role=secrets-manager \

    --serviceaccount=production-apps:app-secrets-manager \

    --namespace=production-apps

Restrict Secret Access to Specific Containers

When deploying applications, limit secret access to only the containers that require them. Instead of mounting secrets at the pod level, specify secret mounts or environment variables for individual containers. This step reduces the exposure surface of sensitive data within your pods.

You can achieve this by:

Mounting secrets as volumes to specific container paths rather than pod-wide shared volumes.
Setting environment variables from secrets only in containers that need them.
Using subPath when mounting secret volumes to prevent exposing the entire secret volume to a container.

In practice, this looks like:

apiVersion: v1

kind: Pod

metadata:

  name: multicontainer-pod

spec:

  containers:

  - name: app-container

    image: app:latest

    volumeMounts:

    - name: api-creds

      mountPath: "/etc/api/credentials"

      readOnly: true

  - name: sidecar-container

    image: sidecar:latest

    # No access to api-creds secret

  volumes:

  - name: api-creds

    secret:

      secretName: api-credentials

      defaultMode: 0400

Consider Using External Secret Store Providers

If you’re running Kubernetes in a cloud environment, you likely already have access to a Key Management System (KMS). The External Secrets Operator (ESO) bridges the gap between Kubernetes and these external secret stores.

ESO allows you to integrate your cloud provider’s secret management systems with your Kubernetes clusters. Rather than storing sensitive data directly in Kubernetes, ESO fetches secrets from your external store and injects them as regular Kubernetes secrets into your cluster. Here’s what it looks like:

apiVersion: external-secrets.io/v1beta1

kind: ExternalSecret

metadata:

  name: aws-secret

spec:

  refreshInterval: "15s"

  secretStoreRef:

    name: aws-store

    kind: SecretStore

  target:

    name: secret-to-be-created

  data:

  - secretKey: api-key

    remoteRef:

      key: production/api-credentials

      property: api-key

The manifest defines an ExternalSecret resource that:

Checks for updates every 15 seconds (refreshInterval).
References a configured secret store (aws-store).
Creates a Kubernetes secret named secret-to-be-created.
Pulls the api-key value from a remote secret path production/api-credentials.

The main advantage of this approach is that ESO handles all the synchronization between your external secret store and Kubernetes, automatically creating and updating the Kubernetes secret when the source changes.

Implement Auditing and Monitoring

In addition to fine-grained access control, it’s crucial to have a big picture of what’s happening within your cluster, which is exactly what Kubernetes audit logs provide. It is particularly useful for continuously monitoring secrets usage. As the Kubernetes docs put it:

Auditing allows cluster administrators to answer the following questions:

What happened?
When did it happen?
Who initiated it?
On what did it happen?
Where was it observed?
From where was it initiated?
To where was it going?

Bringing Outside Secrets In

Kubernetes secrets provide robust capabilities for managing sensitive data within your cluster, from basic credentials to TLS certificates, with multiple layers of security controls. However, not all your resources and sensitive data live within Kubernetes.

The Apono Connector for Kubernetes helps bridge this gap by securely connecting your Kubernetes cluster with outside resources. By running within your environment, the connector maintains a clear separation between your infrastructure and external services while providing unified access management.
Book a demo to see Apono in action.

Apono’s 2024 Successes Fuel Next-Level Innovation in Cloud Access Management for 2025

Company’s achievements and new appointments set the stage for groundbreaking advancements and growth in secure, automated access management solutions

New York City, NY. January 22, 2025 – Apono, the leader in privileged access for the cloud, today announced a series of significant milestones achieved in 2024, alongside strategic growth plans for 2025. These accomplishments underscore the company’s commitment to driving advancements in cloud access governance, ensuring users are only granted the minimum necessary permissions required for their tasks, ultimately reducing the risk of internal threats and external attacks.

In 2024, Apono announced the successful completion of its Series A funding round, raising $15.5 million to fuel the company’s mission of disrupting traditional access security with AI-driven least privilege solutions. This funding is being used to accelerate product development, support continued growth, deliver unparalleled value to customers, and solidify Apono’s position as a leader in the identity security space. As part of its growth plan, Apono has expanded its leadership team by appointing Dan Parelskin as Senior Vice President of Sales, Stephen Lowing as Vice President of Marketing, and most recently Arik Kfir as Vice President of Research and Development. Kfir brings over 20 years of extensive experience in engineering, system and software architecture, and management to Apono. Most recently Kfir has held senior leadership roles at Zesty, Qubex and Zscaler. In his role at Apono, he will lead research and development, specifically spearheading initiatives that increase scalability and expand the platform. His expertise will provide significant value and integrate with Apono’s strategic objectives. These appointments are significant steps forward for Apono as it positions itself to capitalize on the increasing demand for cloud-privileged access solutions across markets.

Apono also launched a significant update to the Apono Cloud Access Platform, which enables users to automatically discover, assess, and revoke standing access to resources across their cloud environments. With complete visibility across the cloud, seamless permission revocation, and automated Just-in-Time, Just-Enough Access, this update helps organizations mitigate major risks while fostering rapid innovation within secure guardrails.

In December, Apono was recognized in the IDC Innovators: Software Development Life-Cycle Identity and Access, 2024 report, highlighting emerging vendors introducing new technologies and providing groundbreaking solutions to existing challenges. Using AI and context-driven insights, Apono was recognized by IDC for its ability to enforce role-based access controls and dynamically adjust permissions to align with organizational policies, ensuring that users have only the permissions they need when they need them. Following their presence at AWS re:Invent, Apono was also named a winner of the Winter 2024 Intellyx Digital Innovator Award, which honors trailblazers who demonstrate innovative approaches to solving complex challenges in the digital landscape.

“In a cloud development world where permissions are often unused and identities can lie dormant, Apono offers DevOps teams and engineers a cloud identity and access management platform that allows them to embed ‘access flow’ permissions with just-in-time policy monitoring that dynamically validates least-privilege user access in the workflow context of the application,” said Jason English, director and principal analyst, Intellyx, in SiliconANGLE from AWS re:Invent.

Apono was highlighted in the 2024 Gartner Magic Quadrant for Privileged Access Management as a sample vendor for Just-in-Time Privilege (JITP) tools. This recognition underscores Apono’s role in providing innovative solutions for mitigating PAM risks. Gartner noted the increasing traction of JITP tools due to their usability and efficiency in implementation, which aligns with Apono’s commitment to delivering user-friendly and effective access management solutions.

“Apono’s fearless development team is at the heart of our achievements,” said CEO of Apono, Rom Carmel. “Their dedication and innovation drive our mission to provide secure, automated access management solutions. By developing cutting-edge technology, we empower organizations to manage access efficiently and securely. Our solutions streamline access control, reduce risks, and enhance operational efficiency, allowing our clients to focus on their core business objectives.”

For more information, visit the Apono website here: www.apono.io.

About Apono:

Aviatrix Controller RCE Vulnerability Allows Unauthenticated Malicious Code Injections (CVE-2024-50603)

AWS and other cloud infrastructure exposed to after attacks uncovered in the wild

Cloud networking solutions provider Aviatrix has published a new vulnerability (CVE-2024-50603) in its controller. This vulnerability allows unauthenticated actors to run arbitrary commands.

This Remote Code Execution (RCE) vulnerability, rated CVSS 10 (critical), has been exploited in the wild.

A patch is already available on GitHub. Alternatively, users can update to the secure versions 7.1.4191 or 7.2.4996.

What is the Aviatrix Controller?

Aviatrix’s platform enables its customers to manage and secure their cloud infrastructure across providers. It is used across AWS, Azure, GCP, and more. Including in enterprise environments.

What is the Vulnerability in CVE-2024-50603?

According to researcher Jakub Korepta of SecuRing, who disclosed the vulnerability, the issue stems from improper handling of user-supplied parameters in the Aviatrix Controller’s API. A malicious actor can inject arbitrary commands to breach their target’s publicly exposed machines in the cloud.

Researchers have observed malicious actors using CVE-2024-50603 to install XMRig crypto miners and Sliver backdoors. This can potentially lead to more significant attacks on target organizations’ VMs.

Read Korepta’s technical writeup here: https://www.securing.pl/en/cve-2024-50603-aviatrix-network-controller-command-injection-vulnerability/

Apono’s Assessment

The vulnerability in Aviatrix’s API essentially breaks the authentication mechanism, opening the door to abuse by attackers.

“We see that sometimes even the best lock on the door can be made ineffective, like in this case where the authentication mechanism is broken,” says Apono CTO and Co-founder Ofir Stein. “This is an important reminder of why we must adopt a layered approach to securing our infrastructure. Apono enables organizations to implement Just-in-Time access to their networking tools, allowing them to add a critical layer of protection.”

Organizations often struggle to secure their cloud resources. Due to their dependence on cloud service providers controlling the infrastructure and the sheer scale of their cloud, they lack critical visibility into what they have in their cloud. Moreover, they have great difficulty understanding who has access to which resources, which impedes their ability to control access.

Even though visibility and access control have always been challenges in security, the cloud service providers’ shared responsibility model places the organization’s responsibility for the sprawling infrastructure with its complex and diverse permissions squarely on its shoulders.

While authentication is a critical element of security, the industry understands that it is insufficient to ensure protection against attacks. Security needs to be designed in layers. This is why we have seen the growth of MFA as part of system building and the development of cross-industry regulations.

However, in this case, and many others, vulnerabilities in the authentication mechanism or clever social engineering ploys can enable attackers to bypass even the most capable authentication protections, leaving resources exposed.

Effective access control mechanisms, like Just-in-Time, are essential in reducing the attack surface. When technical failures like this CVE occur, organizations can mitigate risks from a breach or abuse by limiting access to sensitive resources like administrative controls.

Recommendations

Patch vulnerable versions of Aviatrix or upgrade to a secure version.
To restrict access to the controller, use defense-in-depth techniques, such as ZTNA, IP filtering, and Just-in-Time network tunneling.

Contact one of our experts today to learn more about Apono’s Cloud Access Platform.

8 Privileged Access Management (PAM) Best Practices for Cloud Infrastructure

Even the simplest mistakes can leave your data wide open to cyber threats. If the worst happens and there’s an attack, cybercriminals gain free-for-all access to your cloud resources.

They tamper with your data, disrupt workflows, and steal sensitive information, meaning the need for Privileged Access Management (PAM) best practices are more indispensable than ever for any robust cloud security strategy. According to a recent study, the global PAM market is expected to grow from $2.9 billion in 2023 to $7.7 billion by 2028, cementing its position in the cybersecurity landscape.

Privileged Access Management in a Nutshell

Privileged Access Management (PAM) centers on securing privileged accounts with elevated permissions. It is a cybersecurity strategy that controls and monitors access to critical systems and sensitive information from unauthorized access. Without it, privileged accounts can become the primary targets for cybercriminals, putting the entire organization at risk.

Here’s how PAM works in a nutshell:

It identifies all privileged accounts across the network.
After identification, credentials like passwords and keys are securely stored in an encrypted vault.
The principle of least privilege is applied to restrict access based on user roles and necessity.
Finally, you can use auditing to track who accessed what, when, and why to detect anomalies and generate reports to help maintain security and compliance.

Types of Privileged Accounts

Service Accounts

Applications, automated processes, and IT systems commonly use service accounts. Consider the devastating SolarWinds hack in 2020, where attackers found vulnerabilities in the service accounts and gained access to critical data and systems.

Privileged Access Management Best Practices

Domain Administrator Accounts

Domain administrator accounts have full control over an organization’s IT infrastructure, making them attractive targets for attackers. An example is the Microsoft Exchange Server attacks in early 2021, where hackers gained control through privileged accounts, escalating their access across domains.

Emergency Accounts or “Break-Glass” Accounts

Break-glass accounts are special accounts that can bypass authentication, monitoring processes, and standard security protocols. If not properly managed, they present significant risks.

3 Key Challenges of Implementing Privileged Access Management Best Practices

Forgotten and Overextended Privileges

In implementing Privileged Access Management (PAM) best practices, you must ensure that access to critical resources is both temporary and purposeful. Often, privileges are left open long after a task is completed, such as contract or consulting engineers retaining production permissions and indefinite access to sensitive data lakes.

Lack of Efficient Access Management

As your business grows, so does the complexity of managing privileges, especially in environments with many resources and frequently changing requirements. A solution that works for an organization of ten might crumble under an organization of 1,000. In this case, managing permissions for each cloud resource every time access is required becomes inefficient.

Ensuring Data Privacy While Managing Access

Another PAM implementation challenge is managing access to sensitive data while ensuring privacy. Many solutions require storing or caching sensitive credentials, posing a data security risk.

8 Privileged Access Management Best Practices for Cloud Infrastructure

Use Strong Password Policies

Implementing strong password policies can help reduce the chances of credential theft. Use complex, unique passwords and enforce regular password rotations. Employees should already know to steer clear of the classic phone numbers or dates of birth!

Source

Implement the Principle of Least Privilege (PoLP)

PoLP is and has always been the first principle of the cloud. The principle of least privilege states that users should only have the minimum level of access necessary to perform their tasks. In other words, a user who does not need admin rights should not have them.

Use Identity and Access Management (IAM) and Role-based Access Control (RBAC) Policies

IAM allows organizations to define who can access resources under what conditions. Role-Based Access Control (RBAC), on the other hand, helps manage who has access to cloud resources by defining roles and associating them with the required permissions.

For example, in AWS, you can create custom IAM roles for developers, admins, and security personnel, each with tailored permissions. Use managed policies and avoid using root accounts for daily operations.

Multi-factor Authentication (MFA)

Another best practice is to use multiple forms of verification (e.g., a mix of your password and biometric scan, a time-based code from your device, or a hardware token) before gaining access to privileged accounts. MFA adds an extra layer of security, reducing the risk of compromised credentials by requiring something the attacker doesn’t have. So, even when attackers get hold of your credentials, they still won’t be able to gain access to your account.

Integrate MFA into your Privileged Access Management (PAM) solution for all privileged accounts and enforce it for high-risk accounts like administrators or service accounts. You can use cloud-specific solutions like AWS MFA, Azure Multi-Factor Authentication, or Google Cloud’s Identity Platform.

5. Automate Access Management and Provisioning

Over 68% of security breaches are caused by human errors. Manually managing access can cause these errors, particularly as your organization scales. Use automation tools like Apono to ensure that permissions are granted and revoked in a timely, accurate, and consistent manner.

6. Secure Privileged Access with Encryption

Encrypting privileged access is essential for maintaining confidentiality, especially for access to sensitive data and resources. This best practice ensures the data remains secure even if an attacker gains unauthorized access to privileged credentials.

Encryption protocols like AES-256 protect sensitive data in transit and at rest. Another tip is to ensure that cloud credentials, secrets, and other sensitive data are stored securely in encrypted vaults such as AWS Secrets Manager, Azure Key Vault, or Google Cloud Secret Manager.

Segmenting Critical Systems

Segmenting critical systems limits access to sensitive data. It reduces the risk of lateral movement in case of a breach, involving isolating high-risk systems and implementing access control for every segment of your workload. This way, your organization can ensure that unauthorized users cannot easily traverse the entire network, making it even harder for attackers to compromise multiple systems at once.

Educate and Train Privileged Users

Privileged users should be trained on security best practices, as they play a vital role in managing sensitive systems and resources. The training could focus on the latest external and insider threats, including phishing, malware, and social engineering tactics, with real-world examples of how mishandled privileges can lead to breaches. Rewarding users who identify vulnerabilities or report suspicious activity can encourage proactive behavior.

Cloud environments often require privileged users to access programmatic APIs, which requires secure handling. In this example, training should highlight best practices for securing API keys using tools like AWS Secrets Manager or Azure Key Vault.

For developers, additional emphasis should be placed on avoiding hardcoding credentials into code or scripts, as these can easily be leaked or exploited. Take a look at this Python script, which exposed the AWS access and secret keys:

If the above code is shared, pushed to a public repository (e.g., GitHub), or leaked, anyone with access to it can misuse your AWS credentials. Alternatively, you can use a secrets management tool like AWS Secrets Manager to securely store and access credentials:

Finally, effective training is not a one-time event but an ongoing process. Cloud security is an ever-evolving field; privileged users must stay updated on emerging threats and best practices. Providing documentation, maintaining an up-to-date knowledge base, and delivering periodic refresher training ensures that users remain informed and vigilant.

Reduce Access Risks by 95% With Apono

Failing to implement Privileged Access Management (PAM) best practices is like leaving the keys to your castle lying out in the open. As we’ve explored, PAM is crucial for controlling and monitoring access to your most critical assets, preventing devastating breaches that can disrupt operations, compromise sensitive data, and damage your reputation.

With Apono, you can reduce your access risk by a huge 95% by removing standing access and preventing lateral movement in your cloud environment. Apono enforces fast, self-serviced, just-in-time cloud access that’s right-sized with just-enough permissions using AI.
Discover who has access to what with context, enforce access guardrails at scale, and improve your environment access controls with Apono. Book a demo today to see Apono in action.

A Step-by-Step Guide to S3 Security Features & Setup

What is Amazon S3?

5 Critical S3 Security Vulnerabilities

1. Configuration Mistakes

2. Malicious Uploads

3. Lack of Visibility

4. Publicly Accessible Buckets

5. Vulnerable Third-Party Integrations

A Step-by-Step Guide to S3 Security Features

Block Public Access Enhancements

Access Control Lists

Object Ownership

Amazon Macie

Storage Lens

Object Versioning

5 S3 Security & Setup Best Practices

1. Restrict Access to Your S3 Resources

2. Embrace Logging

3. Implement Encryption Everywhere

4. Enable Versioning with Lifecycle Policies

5. Use ACLs Strategically for Granular Control

S3 Access Without the Hassle with Apono

Apono Names Boone Quesnel as VP of Business Development & Alliances to Drive Strategic Growth

IAM Identity Center: The Essential Guide to AWS Identity Center

What is AWS IAM Identity Center?

When to Use AWS IAM Identity Center

1. Your team spends too much time managing AWS access

2. Developers need to access multiple AWS accounts regularly

3. Security teams need better control over access and compliance

4. You use external identity providers like Okta or Microsoft Entra ID

5. Your organization is implementing a Just-in-Time access model

AWS IAM vs AWS IAM Identity Center: Similarities and Differences

<img fetchpriority="high" decoding="async" src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXe7i2iJAKerJBXebpmrsxz2L0ra4I1BTb2djc3eUWYfNmRf3kAjqBntMvccNtHMdEtG_nTv0BnwLOrXt5aWeSAhkGicv_W7JFEhmUkMf7_klFLJXYSwkm2pDVFW0K2z_IaP4MjocQ?key=ZqpIElSHzDym-so5nm02KJ8V" width="624" height="441">

Key Features of AWS IAM Identity Center

1. Centralized Permission Management

2. Single Sign-On (SSO)

3. Temporary Access

4. Access Control Options

5. Multi-Factor Authentication (MFA)

How to Use IAM Identity Center

Step 1: Enable IAM Identity Center

Step 2: Change Your Identity Source (Optional)

Step 3: Create Users and Groups

Step 4: Add Permission Sets

Step 5: Assign Users and Groups to AWS Accounts

Step 6: Accept the Invitation

Step 7: Access AWS Accounts and Applications

Take Full Control of AWS Access Management with Apono

Just-In-Time (JIT) Access Management: The Essential Guide

What is Just-In-Time (JIT) access management?

3 Types of Just-In-Time (JIT) Access

Automated Just-In-Time (JIT) Access Management: Why You Need It

How Automated Just-In-Time (JIT) Permission Management Can Benefit Your Business

6 Best Practices for Enabling Automated Just-In-Time (JIT) Access Management

1. Prioritize and Secure Critical Assets

2. Embrace Granular Access Control with RBAC and ABAC

3. Establish Clear Policies for Temporary Access

Automate Just-In-Time Access and Secure Cloud Assets with Apono

Top 10 IAM Tools by Category

What are IAM tools?

<img decoding="async" src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXekSoo4eLlsadr8NNUCYm5qWTZ3zljEdEo6s8mzvpBCYsojv1eN9HfLOErUA6Y9Z20SnPbB8_JZFpBpKZSdXoNFaULDa3CW4AENWp45WYqqqM51eANuQEZ8gqzbKOLnfph_BRrduA?key=6RtMPDUuIfntWcPyb2dE24M1" width="624" height="468">

Benefits of IAM Tools

Key Features to Look for in an IAM Tool

Top IAM Tools by Category

Cloud-Native IAM

1. AWS IAM

2. Apono

3. Google Cloud IAM

4. Microsoft Entra ID (formerly Azure AD)

5. Wiz

Hybrid IAM

6. OneLogin

7. Okta

8. SailPoint IdentityIQ

On-Premises IAM

9. CyberArk

10. Oracle Identity Management

Apono: The Standout Solution

How to Implement Zero Trust: A Step-by-Step Guide

What Zero Trust Implementation Really Means