AWS 'air gaps' busted: your private subnet is cute, but one leaky IAM policy lets hackers s3 cp your secrets straight to their bucket

A recent discussion with Dr. Goran Pavlović, Cyber Defense Architect, highlighted the limitations of "air-gapped" cloud architectures, which shift risk rather than removing it. In cloud environments, identity and access management (IAM) policies become the new perimeter, and if these fail, the "air gap" is compromised. A network barrier, such as a virtual private cloud (VPC), can stop network packets but not API calls. To create a true "digital air gap," it is essential to treat IAM and resource policies as primary firewalls. This requires restricting usage to specific organizations and implementing service control policies and key management service (KMS) key policies. By doing so, organizations can ensure that even if an attacker gains access to data, they will not be able to decrypt it. This approach acknowledges that the perimeter has shifted in cloud environments, and security measures must adapt accordingly.