Using AWS X-Ray to achieve Least Privilege Permissions

Run-time monitoring via AWS X-Ray can help with achieving Least Privilege IAM Permissions. We recently released a new tool to monitor X-Ray traces and generate Least Privilege IAM Policies.

Image for post
Image for post
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem"
],
"Resource": "arn:aws:dynamodb:us-east-1:*:*",
"Effect": "Allow"
}

Enabling AWS X-Ray

npm install --save aws-xray-sdk
import AWS from "aws-sdk";
import XRay from 'aws-xray-sdk';
XRay.captureAWS(AWS);
serverless deploy
Image for post
Image for post
Image for post
Image for post

Scanning X-Ray to achieve Least Privilege

npm install -g aws-least-privilege
$ xray-privilege-scan
Completed running xray scan.
Generated IAM policies based upon xray scan:
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-delete - 0bdcf1c154bddd684294aec1334a9b72.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-create - 593020e43d8bf0737daecb471c81b698.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-list - 2e166200fc364a6552f5934489b512dc.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-update - 711a58cf1c53a4f14d9193a0b8c8fd4d.policy.json
arn:aws:lambda:us-east-1:xxxx:function:notes-app-api-prod-get - c577c60d2945d3b7989bd3d538fd0cf5.policy.json
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
],
"Resource": [
"arn:aws:s3:::test-bucket1/*",
"arn:aws:s3:::test-bucket2/*"
]
}

What’s Next

Entrepreneur | Writing code and thinking about security

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store