Personal Notes

Access Control in Cloud Services

The following notes apply to the main cloud services: Amazon AWS, Microsoft Azure, Google GCP.

RBAC

They are based on Role-Based Access Control (RBAC). RBAC roles resembles account groups in operating systems but there are subtle differences between these notions:

Groups are primarily about identity aggregation. A user can belong to multiple groups. Permissions (what a user can do) are typically cumulative. RBAC roles are primarily about functional responsibilities. A user typically assumes one primary role at a time. Each role defines what you can access and what you can do.
Group membership is usually static and always active. RBAC roles may require explicit activation or switching.
RBAC roles can enforce mutual exclusion

In general, RBAC involves a more explicit separation between roles/groups and allowed actions.

Policies

Access control rules are specified with Access Control Lists only for storage resources.

Rules for all the other resources are specified with policy documents. Broadly speaking, a policy document specifies one or more of the following:

A set of roles.
A set of allowed actions.
A set of denied actions.
A set of resources.
A set of conditions that must be met for allowing the request or that, if met, deny the request. These conditions may be attributes of the role, of the resource, of the request (e.g., time of day, IP address and alike).

Syntax and semantics of policy documents depend on the specific cloud environment.

Access requests are mediated by a centralized policy evaluation service that enforces the policies described in policy documents.

Policy documents are managed in a centralized way. Such a centralized Identity and Access Management (IAM) framework simplifies compliance, auditing, automation and scales to thousands of identities and resources much better than ACLs.

Mandatory access control

Policies can support forms of Mandatory Access Control, i.e, centralized mechanisms for defining and enforcing organization-wide rules.