How to Use AirIAM
In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!
Purpose: When we create a new IAM user or role, there is always the risk of privilege escalation if privileges are not assigned accurately. To address this issue, AirIAM is a tool that can be used to automate the least privilege IAM principle in AWS using Terraform. This article will demonstrate how to use the AirIAM tool.
Technical difficulty:
| Novice | Beginner | Competent | Proficient | Expert
What is AirIAM?
AirIAM is a tool to identify and automate Least privilege IAM principles in AWS using Terraform. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method.
AirIAM was developed to promote immutable and version-controlled IAM management as an alternative to today's manual and error-prone methods. AirIAM is written in Python and aims to simplify and increase the adoption of infrastructure code for IAM management.
What is Terraform?
Terraform is an infrastructure as code tool that lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share.
What does the principle of least privilege say?
According to the principle of least privilege, every module in a particular abstraction layer of a computing environment must be able to access only the information and resources required for its legitimate purpose. It reduces the risk of privilege abuse by limiting the privileges granted to a user, application, or other entity. If an account only has the permissions needed to perform its function, its ability to abuse those privileges is restricted.
Now that we have covered all the key terms for the lab, let's carry out the experiment.
Lab Scenario
We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.
Lab Link: AirIAM
Objective
Create an IAM role, user, and group, and then use AirIAM to analyze them. Terraformize your AWS IAM runtime configurations as well.
Solution
Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.
Step 2: Search for IAM in the search bar and navigate to the IAM dashboard.
Step 3: Click on “Roles” from the left navigation pane.
Step 4: Click on the “Create role” button.
Step 5: Select trusted entity type as AWS service and use case as Lambda.
Click on the “Next” button.
Step 6: Search for “S3full” in the policies and select “AmazonS3FullAccess”.
Step 7: Click on the “Next” button.
Step 8: Set the role name as “Lambda_s3_full_access” and click on the “Create” button.
We have successfully created a role which has “AmazonS3FullAccess” privileges.
Step 9: Now, let’s create a user group. Click on “User groups” from the left navigation pane.
Step 10: Click on the “Create group” button.
Step 11: Set the group name as “s3_users”.
Step 12: Search “s3full” in policies and select “AmazonS3FullAccess”.
Step 13: Click on the “Create group” button.
Successfully created the group.
Now, we will add a user to the created group.
Step 14: Click on “Users”.
Step 15: Click on “Add users”.
Step 16: Set the user name as mike enable access key and password.
Step 17: Set the console password as auto generated.
Step 18: Attach policy by choosing “Attach existing policies directly” and search for “s3full” and select “AmazonS3FullAccess” policy.
Click on the “Next button”.
Click on the “Next button”.
Review the configurations for the created user.
Click on the “Create user” button.
Step 19: Switch to root user.
Command:
sudo su
Step 20: Configure the AWS CLI using the provided credentials.
It must have AWS credentials configured that can be used by the CLI to use AirIAM.
Command:
aws configure
Step 21: Install AirIAM.
Command:
pip3 install airiam
Step 22: Explore AirIAM commands.
Command:
airiam -h
It will provide the command usage as the following.
find_unused - Scan your runtime IAM for unused entities
recommend_groups - Recommend IAM groups according to IAM users and their in-use privileges
terraform - Terraformize your runtime AWS IAM configurations
Step 23: Find the unused IAM entities.
Command:
airiam find_unused
It will check all the entities available on the AWS account.
It will provide an overview similar to this.
Here we have two users, one role and one group as unused.
Step 24: Check the AirIAM terraform options.
Command:
airiam terraform -h
Step 25: Create a terraform for current AWS account configuration without unused entities using AirIAM.
Successfully migrated current IAM setup into terraform.
Step 26: Navigate to the results directory and list the files.
Step 27: Open results directory with a text editor.
Step 28: Check out the main.tf file. It will have a provider set with a region.
Step 29: All the roles configurations will be available at roles.tf file.
Step 30: All the users configurations will be available at users.tf file.
After generating the terraform form the existing AWS account without unused entities, it can be applied to a new account resulting in a configuration without unused entities.
References:
AirIAM (https://airiam.io/)
Conclusion
Congratulations! In this article, we learnt how we can create an IAM role, user, and group, and then use AirIAM to analyze them. And also how to Terraformize your AWS IAM runtime configurations.
Try out AirIAM hands-on in our lab! Subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!