When IAM security controls are implemented, most times they are overly permissive or misconfigured in the first place. For instance, it is not unusual for service accounts to be granted overly-permissive access for an application in AWS. When you grant a service account more permissions than it actually needs, you increase your attack vectors in the event of the credentials becoming compromised. To prevent these types of security incidents, teams need to ensure they are following the Principle of Least Privilege (POLP) wherever possible. Least Privilege means giving a user or service the permissions required to do the job effectively and nothing more. Accounts with properly scoped permissions give you protection from being exploited by a compromised account. In this post we will review 5 approaches to make Least Privilege easier within your AWS environments.
Leverage Salesforce Policy Sentry to Properly Format Policies
Policy Sentry is an open-source tool that allows users to generate IAM policies automatically, without needing to have an in-depth knowledge of AWS IAM. The generated policies are scoped according to the access levels and resource ARNs specified by the user. For example, a user can submit a request for READ access to a specific resource and policy sentry will create a properly formatted IAM policy containing all of the IAM permissions that have a READ access level to the specified resource. Scoping IAM policies to contain only the IAM permissions and resources needed will limit the blast radius in the event of credentials being compromised. Prior to Policy Sentry, companies had dedicated individuals that worked to hand-craft the perfect IAM policy. Enterprises can now scale IAM policy creation and deployment in an automated fashion with confidence, knowing the policies are properly scoped and securely written across the enterprise.
Enable CloudTrail to Monitor Activity Within AWS Accounts
CloudTrail is an AWS logging and monitoring service used to log API calls and events in your AWS account. CloudTrail can determine when a user or process made an API call to the AWS platform, who performed it, and where the action originated (their source IP address). CloudTrail is great for enforcing Least Privilege because it provides the historical data needed to scope your IAM policies towards Least Privilege. CloudTrail allows administrators to continuously profile IAM policies to ensure users, systems, and processes have the correct permissions applied to a policy. Coupling the power of Policy Sentry with CloudTrail logging data, you can ensure that users are really at Least Privilege. With CloudTrail you can view user historical actions and the resources a user or process has accessed and incorporate that into a Least Privilege policy. CloudTrail is a very powerful service to tailor Least Privilege in your AWS environment.
Leverage IAM Access Advisor to Remove Unused IAM Permissions
IAM Access Advisor allows administrators to view when a service was last accessed by an IAM principal. Leveraging this service can help identify unused or unnecessary permissions that are currently attached to an IAM user or policy. With the information gathered from IAM Access Advisor, you are able to scope down IAM policies to only allow access to services currently in use. When you give users access to only what they use, you ensure that everyone is adhering to Least Privilege. In addition to capturing when a service was last used, Access Advisor can also determine when S3 management actions were last leveraged. To prevent threat actors from gaining an upper hand in your AWS cloud environments, review this information regularly to limit a user’s access to the services they use on a regular basis. Using Access Advisor with Policy Sentry and CloudTrail data in an automated fashion makes for very data-driven and precise Least Privileged IAM policies.
Implement AWS Service Control Policies to Set Baselines
AWS Service Control Policies (SCPs) are a type of security guardrail that can be managed at the organization unit (OU), underlying accounts within an OU and the root OU for your AWS environments. SCPs allow fine-grained control of permissions that can be centrally managed to be consistent across a fleet of AWS accounts. SCPs can also support governance and compliance requirements for multiple industries. SCPs are commonly used as a Least Privilege guardrail to determine what actions are allowed or denied within your AWS accounts and provide you with the maximum set of permissions available for IAM entities in an account. SCPs can be used to deny users permissions across the organization which supersede IAM permissions set within a given policy. SCPs when leveraged with Policy Sentry, CloudTrail and Access Advisor help to increase the security posture of your IAM footprint.
Using ABAC To Achieve Least Privilege in AWS
Attribute-Based Access Control (ABAC) allows you to grant permissions to an IAM principal or AWS resource based on a specific attribute, like an AWS tag. Tagging in AWS allows you to leverage ABAC for services that support tag-based authorization. ABAC allows you to lower the number of IAM policies you manage by utilizing tagging for authorization instead of role-based access control (RBAC). When new AWS resources are created with the appropriate tags, IAM policies that leverage ABAC will immediately be applicable if the tags match. Provisioning of new resources requires less hassle as projects and teams are automatically granted access to what they need. Adding context with tags allows organizations to take advantage of an AWS recommended authorization strategy. ABAC requires careful planning, testing and deployment. By doing this, teams can reduce friction with internal processes and procedures and accelerate delivery.
While IAM comes with its own complexities and nuances, there are different approaches you can take to implement the concept of Least Privilege within your AWS IAM environments. These recommendations will help minimize security risks and attack vectors in the event that a system or resource within your environment becomes compromised. Each component of your application stack should be treated as an independent trust boundary. Following Least Privilege implies that each component be given a dedicated IAM role that grants permissions relevant to the job function of that component. Building these recommendations into your AWS environments will ensure you have the proper guardrails for your workloads to run in a secure manner.
The information presented in this article is accurate as of July 16, 2020. Follow the ScaleSec blog for new articles and updates.
ScaleSec is a service-disabled, veteran-owned small business (SDVOSB) for cloud security and compliance that helps innovators meet the requirements of their most scrutinizing customers. We specialize in cloud security engineering and cloud compliance. Our team of experts guides customers through complex cloud security challenges, from foundations to implementation, audit preparation and beyond.