According to Mark Ryland of AWS, enterprises far too frequently fail to use identity systems in a least-privilege manner. Ask Mark Ryland, director of the Office of the CISO at AWS, how simple it is to make mistakes and incorrectly setup settings in the cloud.
Ryland stated in an interview at Black Hat USA 2023 that when AWS customers build a principle for an application or workload that needs to use APIs, whether it’s an EC2 role or an IAM user, they need to limit the level of access and permissions assigned to that principle.x000D He claimed that too many businesses “do not do least-privilege work with their identities and their principles in the identity system.” That is still, in my opinion, the most obvious thing.