Why you should keep monitoring your AWS Managed Policies
Some of the Over Privileged AWS Managed IAM Policies
Introduction
This article talks about some of the over privileged AWS Managed IAM Policies. When I say Over Privileged — its not just specific to that particular service, but also grants access to a completely different, and in some cases unrelated Service.
For folks who are not really clear on what AWS IAM Policies are, I recommend you go through this article before reading this — https://medium.com/kernel-space/perfect-way-to-get-started-on-aws-iam-e1d66f63acd7
Why people often use AWS Managed Policies
- Could be lazy to write their Own Policies
- They do not understand IAM properly
- They choose Speed over Security
What is the Problem with Managed Policies
Managed Policies can be called Ready Made Policies which can just be attached and used quickly. it is as easy as eating Packed Food. Who likes to cook these days? Managed Policies vs Customer Written Policies is more like Packed Food vs Cooked Food. Packed Food is instant, can be consumed the moment you see and buy it, does the job for you. Cooked Food is time taking, less tastier(at least for me).
But guess what? Cooking Food on our own is a healthier option, far more Secured one. Similarly Writing our Own Policies is of course time taking, but is much more granular and a Secure option.
Like I mentioned in the above example, Managed Policies are less Secure, the reason being they are overly Permissive — the number of API Calls included are more than needed. But why did AWS do this? To make it easier for all the Customers, including the ones who are not so geeky by nature.
Examples of Over Permissive AWS Managed Policies
While there are a lot of Managed policies which provide privileged access, we will be discussing a few of them so that you get a gist of how this works. Later on, we will also discuss on what preventive controls can you have in place to know, if any policy which you are using becomes privileged, because of a new action getting added to the Policy. AWS keeps updating their managed policies — you can see that each policy has a version to it.
Some of the Privileged AWS Managed Policies:
AmazonAthenaFullAccess — Provides privileged access to CloudWatch Alarms, this enables you to delete any Cloud Watch alarm — including the ones which are not managed by athena.
AmazonWorkMailFullAccess — Provides a lot privileged access to EC2 such as DeleteVPC, DeleteSG, DeleteSubnet etc..
AWSCodeStarServiceRole — Provides EC2:* (EC2 full access), ELB:* and other full access calls which are not quite granular in nature.
AdministratorAccess-Amplify — Provides Privileged IAM Access such as CreateRole, PassRole, Attach/PutRolePolicy, Delete actions on *, also provides privileged S3, cloudfront, lambda actions on *.
There are many other Policies which go beyond the scope of their function and supports privileged actions on other services which may or may not be directly related to the service for which the policy is created.
Detection and Prevention Controls
Now that you have understood it is extremely important to keep an inventory of what all AWS Managed policies your Org is using and how many of them are overly privileged and has the potential to cause severe damage to your Infra, if some malicious actor leverages these Policies to create chaos.
Detection and Prevention is fairly simple here — you can implement something very simple like this :
- List all AWS Managed Policies or only AWS Managed Policies that you are currently using, depends on what is your scope.
- Perform a Diff on everyday’s scan.
- Alert if there are any changes detected on Policies which are being used in your Org.
- Let your SecOps team verify if there’s any privileged action found in the recent Diff.
- Repeat — setup a Cron to run each day.
And you’re Done!!!
If you do not want to build all this yourself, don’t worry, there is already a tool exactly for this, which Scott Piper (SummitRoute) and Victor Grenu had built known as MAMIP - Monitor AWS Managed IAM Policies. You can watch this repo for releases and get updates on new commits and check if any of your policies have some changes.
Alternatively you can follow their Twitter Account where Bot Tweets Updates for the same- https://twitter.com/mamip_aws
MAMIP Repo— https://github.com/z0ph/MAMIP.
Please feel free to point out mistakes if there are any. Thank you for reading. You can connect with me on Linkedin / Twitter. Happy to answer your queries.
