Security Vulnerability - Lateral Movement

[jon-spaeth]

I'm getting flagged by our security team for using this tool with the following issue:

I assume this is coming from the assume -c command used to open the console.

[chrnorm]

Hey Jon, do you know what tool generated this report? Also, could you share an example profile that you’re using with Granted? (please redact any sensitive info like account IDs etc)

[jon-spaeth]

I believe the tool they are using is called Artic Wolf

My profile config is just region us-west-1 and output type json and my credentials look like this

[chrnorm]

Thanks Jon. Unfortunately the sts:GetFederationToken is what drives the core functionality of assume -c :(

This is of course a false positive from the scanning tool (as you are using the credentials for legitimate purposes and aren’t an attacker!). I can appreciate though the alerts may be a cause of frustration for your security team, and because of this, a frustration for you.

The API that we are using are legitimate AWS APIs and aren’t anything inherently malicious. You can find the AWS documentation for the process here. Our specific implementation of this can be found here.

Some ideas as to how we could solve this (some of these require changes to IAM roles in your account, so depending on who owns these you may be out of luck unfortunately):

• Your security team could filter this alert for your IP addresses or for the Granted user agent, under the justification that this is a legitimate use of the API. I appreciate though this might not be possible or desirable for them.
• You could deploy a role into the account with a trust relationship allowing your IAM user account to assume it. This would look something like

  [profile example]
  role_arn = arn:aws:iam::123456789012:role/example
  source_profile = <your existing profile name>

and then run assume -c example. From the wording of the alert it appears as though assuming a role first would cause the alert not to fire. I note though that this approach isn’t doing anything meaningfully different from a security perspective.

• You could look at adopting IAM Identity Center in your organization. IAM IDC is a lot easier for managing multi-account access and based on the wording in the alert would also solve the issue, as this is triggered only for IAM users.

• Finally, we could try and add a feature in Granted where we open the console in a profile at the login page, and then you need to enter your username/password/MFA manually. I’d be adverse to doing this though as it won’t be a good UX for you - if it came to this you’d probably be better off using your browser and not using assume -c at all because it would be so cumbersome!

Overall sorry to hear Granted is causing some pain and I hope I’ve shed some light onto the internals and some possibilities here.

I’m going to close this issue for now but you are most welcome to re-open it if you have any additional questions on any parts of my response.

[jon-spaeth]

Thanks for the detailed response @chrnorm. I'll bring it up with the security team. Still love the product, hoping to get this resolved so I can keep using it 🤞