Security Baseline : AWS [Control: IAM Role and Policy Definitions]

[anubhav1992]

Tags

• AWS Security
• CIS AWS Foundations Benchmark
• IAM Best Practices

Description:

What is it that you want to accomplish?

IAM (Identity and Access Management) roles and policies play a critical role in managing access to AWS resources. This control provides guidelines for defining IAM roles and policies that adhere to security baseline principles, ensuring that permissions are granted based on the principle of least privilege.

What are the details of this security control?

This control involves defining IAM roles and policies that specify what actions can be performed on which AWS resources by IAM users, groups, or services. It includes the creation and management of custom IAM policies that align with the security baseline.

What problem is it solving?

IAM role and policy definitions help prevent unauthorized access, accidental privilege escalation, and exposure of sensitive resources. They enforce fine-grained access controls and align permissions with business needs while maintaining security.

Prepping Up:

Minimum number of tools/accesses/permissions required to enable the security control:

• Manual: AWS Management Console access with IAM permissions.
• Automated: AWS CLI or AWS CloudFormation script execution permissions.

Manual Approach:

Console Steps:

1. Log in to the AWS Management Console.
2. Navigate to the IAM service.
3. Click on "Roles" in the left navigation pane.
4. Create a new role or select an existing one.
5. Define the trusted entities (e.g., AWS service, another AWS account) and permissions policies.
6. Review and create the role.

Creating a Custom IAM Policy:

1. Log in to the AWS Management Console.
2. Navigate to the IAM service.
3. Click on "Policies" in the left navigation pane.
4. Create a new policy.
5. Define the permissions by selecting services and actions.
6. Attach the policy to a role or user.

Automated Approach:

Terraform Script for Role Definition:

resource "aws_iam_role" "example" {
  name = "my-example-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "sts:AssumeRole",
        Effect = "Allow",
        Principal = {
          Service = "ec2.amazonaws.com"
        }
      }
    ]
  })
}

resource "aws_iam_policy" "example" {
  name = "my-example-policy"
  description = "Example custom IAM policy"

  policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Action = "s3:ListBucket",
        Effect = "Allow",
        Resource = "arn:aws:s3:::my-bucket"
      },
      {
        Action = "s3:GetObject",
        Effect = "Allow",
        Resource = "arn:aws:s3:::my-bucket/*"
      }
    ]
  })
}

Validation Techniques:

How to validate if this has been properly implemented?

To validate the proper implementation of IAM roles and policies:

1. Review the IAM role definitions and ensure that they follow the principle of least privilege.
2. Test IAM policies by attempting actions on AWS resources as a user associated with the policy.
3. Use the IAM Policy Simulator to simulate policy actions and review results.

How to validate if more such issues are available?

Regularly audit IAM roles and policies using AWS Config Rules to identify non-compliant roles or policies and review permissions changes.

Related Threats:

What are the threats associated if this issue is not being fixed?

If IAM roles and policies are not properly defined:

• Unauthorized users may gain access to resources.
• Privilege escalation and over-permissioning can lead to security breaches.
• Compliance requirements may not be met, exposing the organization to regulatory risks.

Reference:

1. CIS AWS Foundations Benchmark: Refer to the CIS AWS Foundations Benchmark for specific guidance on IAM best practices and compliance checks.
2. AWS IAM Best Practices: Explore AWS's official documentation on IAM best practices for additional insights and recommendations