One of the core principles of IAM is the Principle of Least Privilege. The idea is simple: give every role the minimal amount of permissions required to get the job done. However, in practice, this simple task can quickly become a daunting nightmare. To get started quickly, AWS recommends making use of the AWS Managed Policies. However, these policies lack the granularity required to ensure that the Principle of Least Privilege is respected, and often grants additional accesses than those explicitly required for the task. To get a more comprehensive view of what exactly these policies grant, engineers turn towards Access Advisor and Cloud Trail.
Access Advisor is an AWS tool that shows the service permissions granted to a role, and when those services were last accessed. It is extremely useful for determining which services a role uses, and will certainly get you some of the way towards refining access policies to be more restrictive. However, Access Advisor does not show you the permissions granted at resource level. So, you may know that a role has made use of the S3 service; however, you cannot know which bucket or object it has accessed. To get this type of information you will need to go deeper, enter Cloud Trail.
Cloud Trail is a service that allows you to see how roles are interacting with resources at the lowest level. The granularity provided by this service allows you to not only know that the S3 service has been used by a role, but also which buckets and objects the role has interacted with. However, Cloud Trail is not all sunshine and roses. Unfortunately, Cloud Trail outputs all of its log data, which for an enterprise organization can be quite sizeable, as compressed json files stored in an S3 bucket. Although this storage type is cheap and convenient, it does not allow you to easily begin finding the needle in the haystack; what permissions does this role actually require in order to function properly?
To manipulate the output format of Cloud Trail into something you can begin to parse through, you can make use of Amazon Athena. Amazon Athena is a serverless, interactive query service that makes it easy to analyze big data in S3 using standard SQL. As Athena’s is run as a pay per query service where the cost is based on the amount of data scanned, making it the perfect service to parse the logs provided by Cloud Trail on an as-needed basis. The alternative would be to write a custom service for parsing the JSON logs which could be extremely time-consuming. With Athena you can make use of standard SQL queries to find out exactly which services, resources, and objects that a role touches. Now you can finally get down to business!
With the access logs available to be queried using a simple SQL syntax and honed down to this level of granularity, you can begin working towards specifying the minimal access that a role requires. This can be determined using one of the following techniques:
- Work backwards removing permissions that are not used.
- Work forwards granting permissions on denials.
- Automate the process to calibrate the permissions as required.
So now you are in a position to discover the access you actually need, instead of just using the access you want.