Least Privilege in AWS IAM using Cloudsplaining
It's really common to hear about least privilege when we're studying about information security. Unfortunately, it's really common give too much access to an user as well.
"It's just a temporary access, just to realize a test."
Temporary access usually brings a great vulnerability to the systems, often allowing administrative access. Worse than that, we tend to forget these active accesses. In AWS environment it can be much worse and dangerous. When we're talking about AWS it's important to remember that with just an access key, the attacker will be in your environment. Using the AWS panel the attacker can access the administration from anywhere on the globe. It's not like a private system in your private network or behind a WAF or others security tools.
that's why the use of least privilege principle is very important. For helping us with that we can use an amazing tool, called Cloudsplaining. With this tool is possible to analyse in seconds information like:
But the question is:
"Where should I start?"
Thinking abou that I created a path that worked for me, in other words, find the best way for you use this tool, this is just my recommendation:
1. Reduce the objects:
I put this step first because I think that this is faster and resolve a good part of your problem. For this you can see the "last used" field in the roles, for example. If the role wasn't used in the last 6 months it's really possible that anyone won't use that more. Then with this you can reduce the roles/policies in your environment.
PS: To reduce the time spent, you can with a simple bot in python read the json that was generated by cloudsplaining and scan just object with more than 6 months without access.
Recommended by LinkedIn
2. Filtering Critical Objects:
Now that we've reduced the total of objects, we can look at the critical objects more deeply. In this point we can for example priorize objects with permission for privilege escalation, than data exfiltration and continuous with others like objects with permission to change the infrastructure.
Some people will say that there are objects that in fact needs privilege escalation permission. With this object, you can create a documentation to maintaining the observation and add them in the exclusion yaml file that was gave by cloudsplaining. With this, they won't alert you in the future.
3. Other Recommendations:
Finally you can improve the security, using for example the AWS IAM Access Advisor, that'll show you the services that some object hasn't used for a while. So you can reduce more the privilege that was gave for this object.
To be more effective I recommend that you create all these alerts explained above and create alerts message automatically using for example boto3 to read the cloudsplaing json file and connect with AWS to get information in Access Advisor and send to a e-mail or slack channel. It'll help you to check continuously you environment.
Well, it's all! I hope that with this article I've passed a little about security in AWS IAM. I hope that you've enjoyed.
Please if you have other recommendations, share here! Let's together improve the security in our environments!
