How do you achieve true least-privilege access in AWS?

a thread (and quick demo of a tool I'm building) ⬇️
1/ Nearly every team I've worked with @exponent_dev has had extremely permissive @awscloud IAM permissions. I've been granted AdministratorAccess scarily regularly.
2/ And if it's not user accounts, infrastructure deployment roles through @HashiCorp terraform or CloudFormation I've seen having AdministratorAccess or thereabouts. This adds a new security risk vector through your infrastructure-as-code repos and deployment systems.
3/ @RhinoSecurity has great resources on privilege escalation in AWS. Even access to basic IAM actions allows exploitation.…
4/ the @CapitalOne hack in 2019 shows what can happen due to misconfigured IAM. The particular EC2 instance that was compromised had a lot of unnecessary IAM permissions which was abused by the attacker.…
5/ So if the risks are high, why are overly permissive IAM policies like AdministratorAccess granted so often?

I think it's because the feedback loop is too slow.
6/ The usual flow for creating a least-permissions policy:

- take an initial guess at what policy a user or service will need
- run actions against the AWS APIs until you hit an error
- try and debug the specific permission that is required
- repeat, over and over again
7/ The official docs recommend running an extremely verbose query against CloudTrail to debug IAM permissions. I've never seen this done in practice.

Not to mention events take 15 minutes to propagate to CloudTrail, making the feedback loop even slower!…
8/ The approach above might take you hours to build a single policy. Or you could just throw AdministratorAccess, PowerUserAccess, or another permissive policy at it (introducing the risks mentioned earlier!) and move on.
9/ What if the feedback loop was so fast you could approve granular access in seconds? I hacked on this idea over the weekend and built a prototype by instrumenting the AWS SDK (botocore)
10/ Demo here. Would love to hear from you if your team faces similar security challenges in AWS! My DMs are open. Am thinking of tidying it up and releasing it as open-source if this is a challenge other people face too.…
11/ Other awesome tooling in this space you should check out:
- @iann0036's iamlive…

- @salesforce's policy sentry…

- @netflix's repokid

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Chris Norman

Chris Norman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!