Enterprises
Individuals
Enterprises
Individuals
Menu
Menu
Sign in
Product
Solutions
Pricing
Resources
Learn
Hands-on Labs
Courses
Learning Journeys
Challenges
Cloud Sandboxes
Playgrounds
Measure
Assessments
Tournaments
Certifications
Reports
Integrate
SCORM & LTI
SSO & SCIM
Our Learning Platform
Get Started Today
Book a demo
Get free trial
Contact us
Industries
Manufacturing
Government
Finance
Technology
Healthcare
Defense
Retail
Teams
C-suite
Security Teams
Engineering Teams
For L&D
We’ll help you
Achieve ROI
Achieve Compliance
Reduce Risk
Measurable Increase in Skills
Instructor Led Training
Success Stories
View all
View Enterprise Plans
Resources
E-books
Case studies
Webinars
Blog
Support
AppSecEngineer 101 Guide
Help Center
Discord
Teams
For C-suite
For Engineering Teams
For Product Teams
For L&D
What’s New
View all
Technology to Make Compliance Easier and More Efficient
How to Protect Your Organization from AI Threats Using Role-Based Security Training
X
X
X
Enterprises
Individuals
Enterprises
Individuals
Sign in
Menu
Menu
Training for
Library
Platform
Pricing
Resources
BLACK FRIDAY DEAL: Use coupon ‘LEVELUP40’ and get a 40% off on all Annual Plans.
Popular with:
Cloud Engineer

Access Control through Observability

Updated:
September 20, 2022
Written by
Abhay Bhargav

Access control is a security approach that governs who or what has access to and uses resources in a computing environment. It is a key security concept that reduces risk to the business or organization. Access control is a difficult task and if not implemented properly it can lead to a cyber security crisis. 

One technique I believe is gaining traction recently is the "Access Control through Observability." It works by deploying a resource in a test-bed/staging environment and monitoring all of the components/parameters that this resource accesses. Then, based on these parameters, create an access policy, denying everything else.  

 

Let's look at various tools that can help us prevent access control attacks in the cloud and Kubernetes environments. 

 

1. Containers & K8s:

Let's get into it with containers and Kubernetes. For containers, I like to use eBPF to detect syscalls made by the container. Next, use Sysdig falco to detect or kubearmor to add Linux Security Modules like AppArmor to the runtime security requirements. 

 

2. Audit2RBac

Next up, we've got Audit2Rbac. It is a good RBAC solution for Kubernetes users. As input, you can use a Kubernetes audit log and the user. Next, utilize it to construct an "auto-gen" RBAC manifest depending on the user's calls. This is excellent for service accounts. 

 

3. IAM access analyzer

Now, let's talk about the IAM access analyzer for Amazon Web Services that does a great job of "generating policy" based on Cloudtrail Control Plane events. It has certain limitations, but it is a beneficial AWS Security feature. 

 

4. The Recommender Function:

Next, we've got quite an interesting one. Google Cloud has an intriguing "recommender" function that evaluates permissions actually used by roles over time, with some machine learning thrown in for good measure. Based on this, it will automatically begin to generate recommended permissions. 

 

5. Mizu

Mizu is an excellent tool for Kubernetes networks. While this is exclusive to APIs (HTTP), you may use it to visualize your API traffic and then apply NetworkPolicies to it. 

 

6. VPC Flow Logs

Finally, VPC flow logs for network traffic visualization in the cloud are possibly your most reliable course. Deploy resources on a "staging" or "test" cloud account, collect VPC flow logs, and detect specific ingress and egress traffic patterns. 

Learn about the security techniques and tools in Kubernetes, with our expert-vetted hands-on learning courses, click here to begin!

Never stop learning!

Source for article
Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).

Categories

L&D
Product Teams
Engineering Teams
C-suite
Infographics
AI Security
Container Security
Threat Modeling
Cloud Security
DevSecOps
Kubernetes
Application Security

Latest

Technology to Make Compliance Easier and More Efficient
How to Protect Your Organization from AI Threats Using Role-Based Security Training
Are Your Management Practices Pushing Your Security Team to the Brink?
Protect Your Business By Strengthening API Security
How to Successfully Implement Shift-Left Security for Your Organization
Understanding SOC 2 Compliance: A Complete Guide
Ditch the Audit Panic! AppSecEngineer's Got Your Back.
The Complete Guide to ISO 27001 Compliance
A Guide to NIST SP 800-53: 20 Steps to Compliance
Thinking about a career in tech? DevOps vs DevSecOps
Deep-Dive into PCI-DSS: Achieve Compliance in 12 Steps
Why Less Is More for High-Impact Developer Education
Top 10 Cybersecurity Power Players
How to Build a Stronger, More Secure Software Supply Chain
Stop Security Team Burnout Before It Starts
BigQuery Vector Search for Log Analysis: A Security Researcher's Perspective
The AI Advantage in DevSecOps
One Week After the CrowdStrike Incident
An In-Depth Look at Secure-By-Design Strategies
The Only Guide You’ll Need to Build Your Own DevSecOps Trained Team

Ready to Elevate Your Security Training?

Empower your teams with the skills they need to secure your applications and stay ahead of the curve.
Get Our Newsletter
Get Started
X
X
FOLLOW APPSECENGINEER
CONTACT

Contact Support

help@appsecengineer.com

1603 Capitol Avenue,
Suite 413A #2898,
Cheyenne, Wyoming 82001,
United States

Copyright AppSecEngineer © 2023
QUICK LINKS
Sign InSign UpPrivacy Policy
E-BOOKS
Beginner's Guide to
a Career in AppSecTrain your Teams to Fly
FOLLOW APPSECENGINEER
CONTACT

Contact Support

help@appsecengineer.com

68 Circular Road, #02-01, 049422, Singapore

Copyright AppSecEngineer © 2023