search

glassechidna / trackiam

A project to collate IAM actions, AWS APIs and managed policies from various public sources.
https://glassechidna.github.io/trackiam/
291 stars 24 forks source link

Track which AWS services support Resource based policies #31

Open kmcquade opened 4 years ago

kmcquade commented 4 years ago

This feature would help with identifying when potentially dangerous IAM actions - such as those that could cause resources to be exposed to anonymous users (Principal = *).

The automation would involve scraping this page to flag changes to AWS services under the “resource based policies” column.

Here’s an example of how this could help: AWS recently announced that CodeBuild supports resource based policies. However, the associated IAM actions - codebuild:PutResourcePolicy and codebuild:DeleteResourcePolicy were labeled as “Write” access level instead of the “Permissions management” level under the actions, resources, and condition keys page for CodeBuild. This happens on a regular basis, which has ramifications in two major cases:

  1. The AWS visual policy editor relies on the accuracy of the actions, resources, and condition keys page. It allows you to select all actions under an access level. I cover this material here: https://policy-sentry.readthedocs.io/en/latest/introduction/comparison-to-similar-tools.html#aws-console-visual-policy-editor. Obviously, if you want to grant someone the ability to “write” to CodeBuild, that doesn’t mean you want them to share CodeBuild projects with external accounts or the internet at large. If the IAM actions tracker tool tracked the changes to the Resource based policies in the “AWS services that support IAM” documentation, it would help us identify which services we should inspect for the IAM actions that grant privileges to modify those resource based policies. It will also help us notify AWS that they should fix the documentation.
  2. The issue of incorrect Access level labeling is so severe that we had to build in an Access Level Overrides file in Policy Sentry: https://github.com/salesforce/policy_sentry/blob/master/policy_sentry/shared/data/access-level-overrides.yml
  3. Since we rely on the accuracy of this documentation for Policy Sentry to automate the creation of least privilege IAM policies, Our attitude was that we couldn’t wait for AWS to make fixes to the access levels - especially when it comes to Permissions management actions that are mislabeled. If IAM Actions tracker were able to track the changes to the “AWS services that support IAM” page, we could quickly make changes to the overrides file, rather than the informal manual searching method that we take right now.

Let me know if you have any questions.

ollytheninja commented 4 years ago

yes! Brilliant idea, love it!