Overprivilege analysis of IAM policies in connorads/lockbot repository

[dattapubali]

We are submitting this issue to notify you of an IAM policy analysis we conducted based on an October 2021 copy of the connorads/lockbot repository. We recognize that your application has continued to change since then, but wanted to share our results with you.

Analyzing serverless.yml in https://github.com/connorads/lockbot/tree/c4c4148, we determined that the provider-level iamRolesStatements definition enabled over-privileged access to your dynamodb tables. By looking at the API calls that were actually being made by your application at that time, we determined that the following changes would reduce unnecessary privilege while still permitting the application to function:

Note: the following policy changes use the https://github.com/functionalone/serverless-iam-roles-per-function serverless plugin to create detailed per-function iam policies.

High level overview: The slack-handler function only needed access to the installationsTable and accessTokensTable, the api-handler function needed access to the resourcesTable and accessTokensTable, and the swagger function did not need access to any dynamodb tables.

…
functions:
  slack-handler:
    handler: src/handlers/slack/index.handler
    events:
      - http:
          method: post
          path: /slack/events
      - http:
          method: get
          path: /slack/install
      - http:
          method: get
          path: /slack/oauth_redirect
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:Query
          - dynamodb:Scan
          - dynamodb:GetItem
          - dynamodb:PutItem
          - dynamodb:UpdateItem
          - dynamodb:DeleteItem
        Resource:
          - installationsTable
          - accessTokensTable

api-handler:
    handler: src/handlers/api/index.handler
    events:
      - http:
          method: get
          path: /api/teams/{team}/channels/{channel}/locks
      - http:
          method: post
          path: /api/teams/{team}/channels/{channel}/locks
      - http:
          method: get
          path: /api/teams/{team}/channels/{channel}/locks/{lock}
      - http:
          method: delete
          path: /api/teams/{team}/channels/{channel}/locks/{lock}
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:Query
          - dynamodb:Scan
          - dynamodb:GetItem
          - dynamodb:PutItem
          - dynamodb:UpdateItem
          - dynamodb:DeleteItem
        Resource:
          - resourcesTable
          - accessTokensTable
  swagger:
    handler: src/handlers/swagger/index.handler
    events:
      - http:
          method: get
          path: /api-docs
      - http:
          method: get
          path: /openapi.json
      - http:
          method: get
          path: /api-docs/openapi.json
…

Your IAM policy was studied as part of a research project that was conducted jointly by researchers at the North Carolina State University and the University of Illinois at Urbana-Champaign. We developed an algorithm that leveraged graph reachability analysis to inspect privilege in serverless applications. This work has been accepted to appear at the 2024 Web Conference (Paper Title: “GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies”). We will be discussing the results from our 2021 analysis of your application as part of this work, but will be sure to note that the policy has been updated since then.

If you’d like, we’d be happy to update our analysis to reflect the present state of your application. Do let us know if you have any thoughts or feedback.

Best, Pubali Datta (co-authors: Isaac Polinsky, Adam Bates, Will Enck)

[connorads]

Cool project, thanks for flagging, will take a look 🫡