AWS recommends all customers use IAM groups to manage privileged access to resources across their accounts. Users are assigned to groups rather than direct access policies to AWS resources such as services, S3 buckets, or databases. Amazon doesn’t offer native support for just-in-time or temporary access to resources on the platform, so it can become difficult to manage if your goal is to implement least privilege.

Trustle with AWS

Overview

The Trustle AWS connector provides visibility into AWS IAM and Identity Center groups and the ability to manage group membership. By combining the analysis of users' group membership with the activity observed through Cloud Trail, Trustle identifies unused permissions, orphaned users (meaning no clear owner), and users that are not actively used.

Inspect all IAM groups

The Trustle AWS connector gathers a wide range of information from AWS to help you understand who has access to what, as well as how that access is used. Trustle gathers information about the following:

• All users on the platform (including human users and non-human / service accounts)
• All groups and membership in the groups
• User activity, including detailed analysis of the actions they perform and which permissions were needed to perform each

Resources the AWS Connector Inspects

View all users on AWS

Because many users on AWS are used by “non-human” actors, many of the user accounts won’t appear in a corporate directory or identity provider. However, all users are discovered and represented in Trustle, linking all with human-user attributes to their identity.

Classify service accounts vs. human users

AWS doesn’t enforce token rotation, but Trustle can alert you to tokens that have passed their stated expiry and that should be rotated.

Discover usage patterns

Trustle is able to monitor usage patterns for users and can recommend what level of permissions is actually needed. You can use Trustle to right-size privileges for each user, while allowing users to easily gain just-in-time access, as needed.

‍

‍

‍

Privileged Access Management

Manage access to AWS resources

With automatic provisioning enabled, the Trustle connector automatically changes IAM group membership when access requests are approved. For example, when a user requests access to a group and the AWS resource owners approve, Trustle automatically adds the user’s account to the associated group. This makes just-in-time access on AWS easy, manageable, and secure. Trustle maintains a history of all access requests, all workflows, and all changes to the system, so your security team and auditors can discover any evidence needed to show compliance. With the information gathered from AWS and through usage data, Trustle makes recommendations for improving the security posture of identities in your environment. For example, Trustle will recommend removing access from users where the access is not needed (least privilege), removing users that are no longer in use (account cleanup), and increasing the sensitivity rating on high risk resources. Trustle also recommends rotating tokens at set intervals and when to review specific users. Additionally, Trustle highlights accounts with Access keys and Certificates that need rotation and accounts that need multi-factor authentication (MFA) enabled. Based on metrics of the sensitivity of the resource or service, compared with the amount of usage the user requires, Trustle also identifies opportunities to move these entitlements to Temporary or Just-in-Time, ensuring that access to these resources are guarded by “least privilege” principles.

‍