6 Cloud Identity Best Practices for Breach Prevention

Identity is the number one security problem in the cloud. In August 2024, leaked credentials led to a large-scale extortion campaign targeted 230 million entities in AWS and resulted in ransomware extortion. This attack exemplifies the critical need for ongoing least privilege controls to limit the blast radius in the event that an attacker compromises an identity, human or non-human (NHI).

This blog explores six best practices for cloud identity security that will greatly lower your organization’s risk and help prevent breaches. 

First, let's understand the challenge of identity security in the cloud.

Identity as the New Perimeter

• The sentiment may seem overstated. Yet, traditional security boundaries do not exist in public cloud and SaaS apps. We doubt you will ditch your firewalls anytime soon, yet identity must now be your main defense. With the right credentials and permissions, especially in the wrong hands, an entity can perform any necessary action from anywhere in the world.

Complex Permission Management

• Cloud platforms offer numerous services with intricate permission structures, posing a challenge to manage the resulting tens of thousands of granular permissions. Improper management, combined with the sheer volume of permissions, leads to excessive privileges. This expands the attack surface and increases the risk of compromise for the entire cloud environment.

Proliferation of Non-Human Identities

• Estimates suggest that for every 1 human, there are anywhere from 10 to 40 associated non-human identities (NHI). This significantly increases entities such as Service Accounts, API Keys, OAuth Tokens, ephemeral identities in serverless architectures, and more. NHIs are essential in every ecosystem and require strict lifecycle management and processes to secure them correctly. Rigorous management is necessary to prevent issues that increase risk, like permission creep and orphaned accounts.

6 Cloud Identity Best Practices for Breach Prevention

‍

Identity Security Maturity Model: The 6 steps begin with the easiest to start cleaning up identity hygiene and advance towards the highest impact. The steps fall into two categories: pruning and hardening. 

• Pruning involves removing unnecessary (or overprivileged) identities
• Hardening focuses on strengthening identity security and reducing blast radius.

STEP 1:  Remove Stale and Unauthorized Identities

Unofficial identities pose significant security risks in cloud environments. Two common types of unauthorized identities are:

• Stale Human Identities: users with active cloud access despite being removed from HR. This discrepancy between cloud providers, HRIS, and IDPs can lead to unauthorized access and potential security breaches.
• Unauthorized Local Identities: user credentials created directly at the cloud account level, bypassing centralized IAM systems. Local identities can act as unauthorized access points, complicating access management and potentially leaving stale credentials unattended. Note that "break glass" credentials are a legitimate use case for local identities, but they should be kept to a minimum and well-defined.

To enhance security and enforce centralized identity management, it is crucial to regularly audit to remove and eliminate (or restrict) unauthorized local credentials by implementing automated processes to sync user status across all systems. This proactive approach significantly reduces the risk of unauthorized access and strengthens your overall cloud security.

STEP 2:  Remove Unused Identities and Credentials

Dormant accounts can serve as entry points and are a passive risk vector for malicious actors. Elimination of unused identities and credentials is a critical security practice, yet most organizations lack the visibility they need to maintain this hygiene. Constant auditing and removal of unused non-human identities (NHIs) and IAM roles are necessary to minimize the attack surface. 

Dormant credentials pose a significant risk if compromised making it equally important to regularly audit and delete access keys no longer in use. To do this, you must implement automated processes to identify and deactivate access keys that haven't been used within a specified timeframe. This practice not only reduces the attack surface but also simplifies key management and bolsters your overall security posture.

STEP 3: Prevent Privilege Escalation through Lateral Movement 

Preventing privilege escalation is table stakes for cloud security. To prevent an attacker from gaining higher levels of access, take action to remove and/or restrict permissions that would allow lateral movement. For example:

• In AWS, remove PassRole permissions: The "iam:PassRole" permission can be used to escalate privileges. Grant this permission only when absolutely necessary and to trusted identities.
• In AWS, restrict EC2 Instance Profile Modifications: Limit who can modify EC2 instance profiles, as they can be used to grant EC2 instances elevated permissions.
• In Azure, restrict role Assignments/write permission: carefully manage the "Microsoft.Authorization/roleAssignments/write" permission, which allows users to assign roles to other identities, potentially leading to privilege escalation.

You can reduce your risk of privilege escalation by removing or restricting these permissions. This will make it hard for attackers to move laterally and gain higher access.

STEP 4:  Strengthen Authentication

Strengthening authentication mechanisms is a critical step in securing cloud identities and preventing unauthorized access. Here are the key best practices to harden authentication:

Multi-Factor Authentication (MFA): Enforce MFA for all human users to add an extra layer of security. This practice should be mandatory for all human users, including employees, contractors, and external collaborators with access to your cloud environment. Implement MFA for both console access and programmatic API calls where applicable.

Rotate Credentials: Regularly rotating access keys for both human and non-human identities is a crucial security practice that minimizes potential vulnerabilities. This process involves periodically updating access keys and promptly removing those no longer in use, effectively reducing the risk of credential compromise. Two common examples of identities that benefit from this practice are AWS IAM Users—which can be used by humans or programmatically by machines—and Azure App Registrations, which serve as identities for applications in Microsoft Azure.

• For AWS IAM Users credentials consist of access keys, which include an access key ID and a secret access key. The rotation process involves three steps. First, generate new access keys. Next, update the relevant apps to use these new keys. Finally, remove the outdated keys from the system.
• Azure App Registrations use client secrets or certificates as credentials. The rotation process involves generating new secrets or certificates, updating the associated applications to use these new credentials, and subsequently removing the outdated ones.

Implementing a systematic approach to credential rotation enhances overall security posture and protects against unauthorized access attempts.

STEP 5: Continuously Monitor High-Risk Identities

"High-Risk" here refers not only to the permissions an identity holds but also to its function. For example, external identities with access to internal resources, or those with administrative control over the entire organization, are inherently high-risk—regardless of their specific permissions.

External identities are entities outside your organization—such as third-party vendors or partner integrations—that have access to your cloud accounts or applications. Examples include AWS IAM Roles for cross-account access and Azure App Registrations that use external OIDC Providers for authentication. It's crucial to justify their existence, validate their permissions, and flag them in the system.

Admin credentials are high-privilege accounts that grant extensive access and control over cloud resources. It's crucial to identify and flag these admin users for security purposes. Organizations typically grant admin status through various means, including direct assignment of Administrator policies, membership in privileged groups, and assuming roles with admin access. The best approach is to identify and monitor these access paths.

Once admins are defined, they should then be subject to the following best practices:

• Maintaining a small, fixed set of admin accounts (typically 2–3).
• Implementing stronger authentication methods (e.g., 3 factors for MFA) for all admin accounts.
• Using temporary (just-in-time) elevated access for specific tasks instead of permanent admin rights.

STEP 6:  Maintain Least-Privilege and Just-in-Time Access

The principle of least privilege (PoLP) is fundamental to robust cloud security. By maintaining every identity in the least-privileged state, you minimize the impact of an identity compromise. Implementing least privilege requires a dynamic approach to access management that:

• Analyzes historical behavior patterns of identities to understand actual access needs.
• Derives least privilege policies based on usage and risk.
• Continuously adjusts roles by revoking unused or excessive permissions.
• Enables just-in-time access to elevated privileges.

By leveraging historical usage and dynamic risk data, organizations can create a more precise and adaptive least-privilege model. This approach enhances security by minimizing the attack surface.

Challenges of Least Privilege

While the Principle of Least Privilege (PoLP) is crucial for cloud security to reduce your blast radius, implementing it at scale presents significant challenges:

• Cloud environments are complex, with 10s of 1000s of fine-grained permissions, numerous services, and intricate permission structures.
• The sheer volume of identities to manage.
• The dynamic nature of cloud workloads that use NHIs.
• Concerns about business continuity when applying restrictive policies.
• Manual processes and siloed tools

Overcoming these challenges requires automation, continuous monitoring, and adaptive policy management systems.

Continuous Cloud Identity Security with Andromeda

Andromeda Security is an AI-powered Identity Security Platform for human and non-human/NHI identities in the cloud. We automate identity permissions and lifecycle using context, risk, and behavioral analysis and defend your business against identity breaches.

Andromeda’s Identity Security benefits:

• Visibility and operational insights with automated discovery.
• Real-time risk reduction of excessive privileges
• Just-in-time least privilege access with automated or manual approvals.
• Gen AI-powered session summaries of all actions.
• Simplified governance and compliance through easy-to-access data.

Contact us for a free risk assessment to learn more about how to continuously defend your organization against identity-based breaches—even if an identity is compromised.