Resources
    How to Use AirIAM
    04 October 22

    How to Use AirIAM

    Posted byINE
    facebooktwitterlinkedin
    news-featured

    In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    Purpose: When we create a new IAM user or role, there is always the risk of privilege escalation if privileges are not assigned accurately. To address this issue, AirIAM is a tool that can be used to automate the least privilege IAM principle in AWS using Terraform. This article will demonstrate how to use the AirIAM tool.

    Technical difficulty:


    |   Novice   |   Beginner   |   Competent   |   Proficient   |   Expert

    What is AirIAM?

    AirIAM is a tool to identify and automate Least privilege IAM principles in AWS using Terraform. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method.


    AirIAM1.png

    AirIAM was developed to promote immutable and version-controlled IAM management as an alternative to today's manual and error-prone methods. AirIAM is written in Python and aims to simplify and increase the adoption of infrastructure code for IAM management.

    What is Terraform?

    Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share.

    What does the principle of least privilege say?

    According to the principle of least privilege, every module in a particular abstraction layer of a computing environment must be able to access only the information and resources required for its legitimate purpose. It reduces the risk of privilege abuse by limiting the privileges granted to a user, application, or other entity. If an account only has the permissions needed to perform its function, its ability to abuse those privileges is restricted.

    Now that we have covered all the key terms for the lab, let's carry out the experiment.

    Lab Scenario

    We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

    Lab Link: AirIAM

    Objective

    Create an IAM role, user, and group, and then use AirIAM to analyze them. Terraformize your AWS IAM runtime configurations as well.

    Solution

    Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.

    AirIAM3.png


    Step 2: Search for IAM in the search bar and navigate to the IAM dashboard.

    AirIAM4.png


    Step 3: Click on “Roles” from the left navigation pane.

    AirIAM5.png


    Step 4: Click on the “Create role” button.

    AirIAM6.png


    Step 5: Select trusted entity type as AWS service and use case as Lambda.

    AirIAM7.png

    Click on the “Next” button.

    AirIAM8.png


    Step 6: Search for “S3full” in the policies and select “AmazonS3FullAccess”.

    AirIAM9.png


    Step 7: Click on the “Next” button.

    AirIAM10.png


    Step 8: Set the role name as “Lambda_s3_full_access” and click on the “Create” button.

    AirIAM11.png


    We have successfully created a role which has “AmazonS3FullAccess” privileges.

    Step 9: Now, let’s create a user group. Click on “User groups” from the left navigation pane. 

    AirIAM12.png


    Step 10: Click on the “Create group” button.

    AirIAM13.png


    Step 11: Set the group name as “s3_users”.

    AirIAM14.png

    Step 12: Search “s3full” in policies and select “AmazonS3FullAccess”.

    AirIAM15.png

    Step 13: Click on the “Create group” button.

    AirIAM16.png


    Successfully created the group.

    AirIAM17.png

    Now, we will add a user to the created group.

    Step 14: Click on “Users”.

    AirIAM18.png


    Step 15: Click on “Add users”.

    AirIAM19.png


    Step 16: Set the user name as mike enable access key and password.

    AirIAM20.png


    Step 17: Set the console password as auto generated.

    AirIAM21.png

    Step 18: Attach policy by choosing “Attach existing policies directly” and search for “s3full” and select “AmazonS3FullAccess” policy.

    AirIAM22.png

    Click on the “Next button”.

    AirIAM23.png


    Click on the “Next button”.

    AirIAM24.png

    Review the configurations for the created user.

    AirIAM25.png


    Click on the “Create user” button.

    AirIAM26.png


    Step 19: Switch to root user.

    Command:

    sudo su

    AirIAM27.png

    Step 20: Configure the AWS CLI using the provided credentials. 

    It must have AWS credentials configured that can be used by the CLI to use AirIAM.

    Command: 

    aws configure

    AirIAM28.png

    Step 21: Install AirIAM.

    Command: 

    pip3 install airiam

    AirIAM29.png

    Step 22: Explore AirIAM commands.

    Command: 

    airiam -h

    It will provide the command usage as the following.

    1. find_unused  - Scan your runtime IAM for unused entities

    2. recommend_groups - Recommend IAM groups according to IAM users and their  in-use privileges

    3. terraform -  Terraformize your runtime AWS IAM configurations

    AirIAM30.png

    Step 23: Find the unused IAM entities.

    Command: 

    airiam find_unused

    AirIAM31.png

    It will check all the entities available on the AWS account.

    AirIAM32.png

    It will provide an overview similar to this.

    AirIAM33.png

    Here we have two users, one role and one group as unused.

    Step 24: Check the AirIAM terraform options.

    Command: 

    airiam terraform -h

    AirIAM34.png

    Step 25: Create a terraform for current AWS account configuration without unused entities using AirIAM.

    AirIAM35.png

    Successfully migrated current IAM setup into terraform.

    AirIAM36.png

    Step 26: Navigate to the results directory and list the files.

    AirIAM37.png

    Step 27: Open results directory with a text editor.

    AirIAM38.png

    Step 28: Check out the main.tf file. It will have a provider set with a region.

    AirIAM39.png

    Step 29: All the roles configurations will be available at roles.tf file.

    AirIAM40.png

    Step 30: All the users configurations will be available at users.tf file.

    AirIAM41.png

    After generating the terraform form the existing AWS account without unused entities, it can be applied to a new account resulting in a configuration without unused entities. 

    References: 

    Conclusion

    Congratulations! In this article, we learnt how we can create an IAM role, user, and group, and then use AirIAM to analyze them. And also how to Terraformize your AWS IAM runtime configurations.

    Try out AirIAM hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

    © 2024 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
    instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo