AiIAM: Transforming the Democratized AWS IAM...
Anthony Scheller, Jorge L Gomez
BSidesSF 2024 · Day 1
This talk introduces **Vapor Lock**, an innovative open-source project formerly known as AiIAM, designed to tackle the pervasive challenge of managing Identity and Access Management (IAM) policies in large, democratized cloud environments. Presented by Anthony Scheller, Head of Security Engineering at StubHub, and Jorge L Gomez, Staff Security Engineer and Tech Lead at Twilio, Vapor Lock leverages **large language models (LLMs)** and **control plane log analysis** to address the principle of least privilege problem, particularly for service-to-service IAM policy creation. The core problem Vapor Lock aims to solve is the inherent complexity and error-proneness of crafting precise IAM policies, often leading to overly permissive configurations like "star for action, star for permission," which significantly increases an organization's attack surface.
AI review
This talk introduces Vapor Lock, an open-source tool designed to tackle the pervasive problem of overly permissive IAM policies in AWS. It offers two primary functions: generating new, least-privilege policies using large language models (LLMs) based on natural language input, and deterministically right-sizing existing policies by analyzing CloudTrail logs. The architecture includes a crucial step of validating LLM-generated policies with AWS IAM Access Analyzer to mitigate hallucinations, demonstrating a pragmatic approach to leveraging AI in a security-critical domain.