Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Track which AWS services support Resource based policies #31

Open
kmcquade opened this issue Dec 14, 2019 · 1 comment
Open

Track which AWS services support Resource based policies #31

kmcquade opened this issue Dec 14, 2019 · 1 comment
Labels
enhancement New feature or request trackable Ideas for things that are trackable

Comments

@kmcquade
Copy link

This feature would help with identifying when potentially dangerous IAM actions - such as those that could cause resources to be exposed to anonymous users (Principal = *).

The automation would involve scraping this page to flag changes to AWS services under the “resource based policies” column.

Here’s an example of how this could help: AWS recently announced that CodeBuild supports resource based policies. However, the associated IAM actions - codebuild:PutResourcePolicy and codebuild:DeleteResourcePolicy were labeled as “Write” access level instead of the “Permissions management” level under the actions, resources, and condition keys page for CodeBuild. This happens on a regular basis, which has ramifications in two major cases:

  1. The AWS visual policy editor relies on the accuracy of the actions, resources, and condition keys page. It allows you to select all actions under an access level. I cover this material here: https://policy-sentry.readthedocs.io/en/latest/introduction/comparison-to-similar-tools.html#aws-console-visual-policy-editor. Obviously, if you want to grant someone the ability to “write” to CodeBuild, that doesn’t mean you want them to share CodeBuild projects with external accounts or the internet at large. If the IAM actions tracker tool tracked the changes to the Resource based policies in the “AWS services that support IAM” documentation, it would help us identify which services we should inspect for the IAM actions that grant privileges to modify those resource based policies. It will also help us notify AWS that they should fix the documentation.
  2. The issue of incorrect Access level labeling is so severe that we had to build in an Access Level Overrides file in Policy Sentry: https://github.com/salesforce/policy_sentry/blob/master/policy_sentry/shared/data/access-level-overrides.yml
  3. Since we rely on the accuracy of this documentation for Policy Sentry to automate the creation of least privilege IAM policies, Our attitude was that we couldn’t wait for AWS to make fixes to the access levels - especially when it comes to Permissions management actions that are mislabeled. If IAM Actions tracker were able to track the changes to the “AWS services that support IAM” page, we could quickly make changes to the overrides file, rather than the informal manual searching method that we take right now.

Let me know if you have any questions.

@ollytheninja ollytheninja added enhancement New feature or request trackable Ideas for things that are trackable labels Dec 15, 2019
@ollytheninja
Copy link
Collaborator

yes! Brilliant idea, love it!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request trackable Ideas for things that are trackable
Projects
None yet
Development

No branches or pull requests

2 participants