avatarTeri Radichel

Summary

Teri Radichel discusses a misleading AWS documentation policy regarding KMS key access for organizations or specific OUs, emphasizing the need for clearer documentation and the importance of abstraction in cybersecurity content.

Abstract

The web content presents a critical analysis by Teri Radichel of an AWS documentation policy that inadequately explains the implications of granting access to a KMS key for an organization or specific organizational units (OUs). Radichel points out that while the policy allows access to an OU, it also inadvertently grants access to the entire organization, which is not clearly stated in the documentation. She suggests that this information should be more transparent and possibly relocated to the KMS page with a link from the EC2 page. Radichel also notes that this is not an isolated incident and that she has previously found similar errors in AWS documentation. She advocates for the involvement of KMS policy experts in reviewing such documentation and emphasizes the principle of abstraction in creating effective and accurate cybersecurity documentation.

Opinions

  • The AWS documentation on granting KMS key access is misleading as it fails to clarify that access is granted to the entire organization, not just specific OUs.
  • The documentation should be revised for clarity and possibly restructured to ensure that it is placed where it is most relevant, such as on the KMS page.
  • There is a recurring issue of subtle errors in AWS documentation, which can lead to confusion and potential security misconfigurations.
  • Experts in KMS policies should review the documentation to ensure accuracy and prevent misinterpretation.
  • The lack of abstraction and centralization in documentation can lead to inconsistencies and errors across different sections, which is a significant problem in technical documentation.
  • Radichel suggests that the documentation error may have been corrected, but she is uncertain if the correction has been consistently applied across all relevant sections.
  • She promotes the principle of abstraction as a method to reduce complex topics to their essential elements, which is crucial for effective cybersecurity documentation.
  • Radichel encourages readers to follow her for updates on her findings and insights into cybersecurity documentation and practices.

Another AWS Documentation Misleading Policy

Granting access to a KMS key for an organization or specific OUs

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

⚙️ Check out my series on Automating Cybersecurity Metrics | Code.

🔒 Related Stories: Bugs | AWS Security | Secure Code

💻 Free Content on Jobs in Cybersecurity | ✉️ Sign up for the Email List

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The statement above the policy in the documentation below is misleading

Yes, it grants access to the OU, but also the entire organization. The documentation should make that clearer.

This would be to LIMIT access to specific OUs.

Keep finding subtle errors like this throughout the documentation. This documentation is on the EC2 page. It should probably be on the KMS page and linked to from the EC2 page. People who are experts in KMS policies should be reviewing it.

This is not the first time I’ve found misleading policy documentation.

Looks like this one got fixed finally — I think.

I’m not sure if it got fixed everywhere that statement is made, however, and that’s the problem with lack of abstraction and centralization of documentation, the same way you leverage abstraction for code or security.

Follow for updates.

Teri Radichel | © 2nd Sight Lab 2023

About Teri Radichel:
~~~~~~~~~~~~~~~~~~~~
⭐️ Author: Cybersecurity Books
⭐️ Presentations: Presentations by Teri Radichel
⭐️ Recognition: SANS Award, AWS Security Hero, IANS Faculty
⭐️ Certifications: SANS ~ GSE 240
⭐️ Education: BA Business, Master of Software Engineering, Master of Infosec
⭐️ Company: Penetration Tests, Assessments, Phone Consulting ~ 2nd Sight Lab
Need Help With Cybersecurity, Cloud, or Application Security?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
🔒 Request a penetration test or security assessment
🔒 Schedule a consulting call
🔒 Cybersecurity Speaker for Presentation
Follow for more stories like this:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
❤️ Sign Up my Medium Email List
❤️ Twitter: @teriradichel
❤️ LinkedIn: https://www.linkedin.com/in/teriradichel
❤️ Mastodon: @teriradichel@infosec.exchange
❤️ Facebook: 2nd Sight Lab
❤️ YouTube: @2ndsightlab
AWS
Documentation
Policy
Bug
Kms
Recommended from ReadMedium
avatarUsama Malik
How to Build Better Cloud Architectures with the AWS Well-Architected Framework

Building Resilient, Secure, and Scalable Cloud Systems with AWS Well-Architected Framework

5 min read
avatarNeal Davis
Best Cloud Certifications for Top-Paying Jobs in Tech

Cloud computing continues to revolutionize how we live and work, extending far beyond powerful data centers and accessible email accounts…

4 min read
avatarXiaoxu Gao
How to Build an On-Call Culture in a Data Engineering Team

Systematically resolve data issues in production

9 min read
avatarRahul Sharma
M vs. R: The AWS Interview Question Almost Everyone Gets Wrong!

3 min read
avatarMark Somerfield
Your Tech Debt Strategy Will Fail

Tech debt strategies often ignore people. They shouldn’t.

9 min read
avatarNurunnubi Talukder
Architecture of Amazon Connect!!

To architect Amazon Connect into the following layers — telephony, Amazon Connect interface/API, flows/IVR, agent workstation, and metrics…

3 min read