crochcunill
commented
2 years ago Conclussions
- It is not practical to test every combination role/ressource/policy. There are simply too many to write and to maintain
- The AWS CLI command get-account-authorization-details returns a JSON file with all the IAM permissions associated to the account
- Some specific permissions may be tested individually, for example, change the access of a S3 bucket from public to private
- Test for specific permissions can be done through the AWS CLI or through the AWS web interface
Recommendations 1- Create a test that compare the results of the AWS CLI command get-account-authorization-details before/after SEA update/upgrade 2- Create a small suite of tests to verify persmissions that are deemed important enough to deserve their own test
Further work
- All of the above applies when using workload accounts, what means that we can not verify if the SCP have changed or not. Will need to decide if to also use an account with a higher role.
- If recommendation 2 is implemented, will need to select the permissions that will need to be tested
- Using AWS CLI seems to be the most straighforward way to test, however, there are some test where AWS GUI can provide more insight.
The full version of the finding for this spike have been gathered in the following spreadsheet
For some background info about the relation between KC users and AWS roles check https://bcgov.sharepoint.com/:b:/t/01368-CPFScrumTeam/EUpY8z_4ZUVBssWFJtcBbOAB72B1Y57yQSbLR7HGQi8vZA?e=IokLfl
Description To compile a list of the personas from the keycloak SSO roles. Then test systematically what each of these personas can can can not do.
I will need the input from Warren. Not sure if I will also require Avneet.
Additional Info There's some interesting documentation here https://github.com/canada-ca/cloud-guardrails-aws but we don't want to use Prowler or CloudCustodian, we want to test in CheckPoint CloudGuard CSPM
Deliverables