An AWS IAM Security Tooling Reference

Aug 18, 20

Identity and Access Management (IAM) is a cornerstone of security. AWS IAM is the cloud provider’s native service for securely managing access to AWS resources. It supports granular, identity based permissions. However, AWS IAM is not only crucially important, but also immensely complex.

IAM policies are evaluated through a four step process, which considers authentication, then the request context, followed by evaluating all possible account policies, and finishing with the determination on allowing or denying an action. For a concrete example, take an S3 bucket. It will be subject to resource-level permissions (bucket ACLs), resource-based policies (bucket policies), permissions boundaries, SCPs, and IAM policies.

Or look at the following flowchart (from the IAM User Guide) for another glimpse of the complexity:

[Policy Enforcement Code Flowchart.jpg](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)

Want a deeper dive? Check out Brigid Johnson’s “Become an IAM Policy Master in 60 Minutes or Less” talk from re:Invent 2018:

This complexity and the resultant challenges it can pose for security have not gone unnoticed. In addition to efforts at education, AWS has developed Zelkova, an automated reasoning tool for AWS permissions. One of the earliest (publicly exposed) applications of Zelkova to IAM was the creation of the “Public” labels, which were applied to S3 buckets. More recently, AWS IAM Access Analyzer was released, which uses Zelkova to “identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are shared with an external entity.”

Outside of Amazon, numerous individuals and organizations have also released tools to help you reason about the usage of IAM in your AWS environment. The following are those I’ve found most useful in my time spent looking at AWS security:

Assessment

Are you auditing an unfamiliar environment, inherited one, or maybe just looking to check your own? These tools automate the core parts of AWS IAM assessment.

PMapper - https://github.com/nccgroup/PMapper

Principal Mapper (PMapper) is a script from my NCC Group coworker Erik Steringer that answers a couple of the most pressing questions many of our clients have:

  1. “Who can escalate privileges?” and
  2. “Which principals can access other principals?”

PMapper accomplishes this by generating and traversing a graph of a given AWS account’s IAM users and roles. It also comes equipped with both a REPL and support for generating Visualizations.

Parliament - https://github.com/duo-labs/parliament

Parliament, from Scott Piper (of Summit Route) and Duo Labs, is the best AWS IAM linting library. It can identify hard to notice issues like the attempt to use a condition that is not documented as supported for the associated action, or the use of completely unknown actions. It also has rules for logical inconsistencies that might allow for privilege escalation, with the provided example “an S3 bucket where s3:Delete is not allowed, but s3:PutBucketPolicy is, which could be abused to grant anonymous object deletion.”

Cloudtracker - https://github.com/duo-labs/cloudtracker

Cloudtracker is the other AWS IAM tool from the power-team of Scott Piper and Duo Labs. Cloudtracker uses AWS Athena to query an account’s CloudTrail logs, and can compare them with current IAM policies to identify unused privileges. AWS offers a similar service in the IAM Access Advisor, however it only works on a service level, with the exception of S3 management plane operations.

SkyArk - https://github.com/cyberark/SkyArk

CyberArk’s SkyArk tool was published as part of their research, initially presented at RSA 2018. It’s signature feature for AWS is its AWStealth script, which identifies so-called “shadow admins” within an AWS account. These include users with the the built-in privileged job functions policies, as well as the privilege escalation possibilities enumerated by Rhino Security Labs.

Cloudsplaining - https://opensource.salesforce.com/cloudsplaining/

Kinnaird McQuade of Salesforce’s Cloudsplaining is the most recent release to have made this list. Cloudsplaining identifies violations of least privilege with perhaps the most robust reporting of any tool on this list. While the primary focus is on identifying failures to take advantage of resource constraints, it has findings for:

  1. Privilege Escalation,
  2. Resource Exposure,
  3. Infrastructure Modification, and
  4. Data Exfiltration

Maintenance

Are you responsible for administering an AWS environment, or are you looking to build out a cloud security program? These tools help ease the pain of managing AWS IAM at enterprise scale.

Policy Sentry - https://github.com/salesforce/policy_sentry

Policy Sentry is the tool Kinnaird released before Cloudsplaining, and its core purpose is to enable people to write secure, least privilege IAM policies, without hours of effort and even more time learning the nuances. The flagship feature is the automatic application of resource-constraints based on a simple definition of resource ARNs and access levels. Policy Sentry is a tool worth socializing within your organization, as it well earns its learning curve.

Repo Kid - https://github.com/Netflix/repokid

Netflix’s Repo Kid is built on top of Aardvark, their “multi-account AWS IAM Access Advisor API (and caching layer)”. It’s killer feature is automatic convergence of IAM permissions to least privilege. Once configured, Repo Kid can “repo” a role by removing permissions granting access to unused services.