search

mozilla / infosec.mozilla.org

Guidelines, principles published on https://infosec.mozilla.org
Mozilla Public License 2.0
92 stars 63 forks source link

Discussion : Change AWS cross account access grant model #94

Open gene1wood opened 5 years ago

gene1wood commented 5 years ago

Avoid granting access through the root user or, another category regarding granting permissions through the root user, for example, granting an S3 bucket policy that allow the root user of another aws account (and thus which allows everything on that other account to access the s3 bucket) its the same kind of issue, but for any access that is being granted through any method (not just through API keys)

This seems to go against https://infosec.mozilla.org/fundamentals/security_principles.html#do-not-allow-lateral-movement as AWS accounts tend to host more than one service. If the AWS account has a single service it would be "very normal" as in it would be fine indeed. When they host a variety of services you're effectively granting overly broad access (also usually called out as "fine grained access control" and "minimum necessary privileges")

The meat of this is: it's easy to end up with an unsafe configuration when all you want is "for things to work".

I think this could also be something about which cross-accounts privileges can be typically granted in a safe manner and how (as per initial comment "maybe an additional section".

gdestuynder commented 5 years ago

I feel like this is slightly misrepresented, or that there is some confusion - this is my actual comments:

Avoid granting access through the root user or, another category regarding granting permissions through the root user, for example, granting an S3 bucket policy that allow the root user of another aws account (and thus which allows everything on that other account to access the s3 bucket) its the same kind of issue, but for any access that is being granted through any method (not just through API keys)

This seems to go against https://infosec.mozilla.org/fundamentals/security_principles.html#do-not-allow-lateral-movement as AWS accounts tend to host more than one service. If the AWS account has a single service it would be "very normal" as in it would be fine indeed. When they host a variety of services you're effectively granting overly broad access (also usually called out as "fine grained access control" and "minimum necessary privileges")

The meat of this is: it's easy to end up with an unsafe configuration when all you want is "for things to work".

I think this could also be something about which cross-accounts privileges can be typically granted in a safe manner and how (as per initial comment "maybe an additional section".

gene1wood commented 5 years ago

Sorry about that, I've updated the body of the issue to your text. Here's what I had originally put in

Currently we configure the grantor account to grant rights to the entire grantee account (e.g. arn:aws:iam::371522382791:root) to assume a role in the grantor account. This sets the demarcation point between the grantor and grantee at the account level (as opposed to the IAM user or IAM role level).

Reasons for this choice are

The downsides to this model are