blog
Using AWS IAM Access Anal ...
14 September 22

Using AWS IAM Access Analyzer to Find and Resolve Issues

Posted byINE
facebooktwitterlinkedin
news-featured

In our lab walkthrough series, we go through selected lab exercises on our INE Platform. Subscribe or sign up for a 7-day, risk-free trial with INE and access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Purpose: Access Analyzer helps you identify the resources in your organization and accounts that are shared with an external entity. It validates IAM policies against policy grammar and best practices. And also generates IAM policies based on access activity in your AWS CloudTrail logs. Here, we'll learn how to create an Access Analyzer and utilize it to get rid of permissions that are overly permissive and could be used maliciously by an attacker.

Technical difficulty:

|   Novice   |   Beginner   |   Competent   |   Proficient   |   Expert

What does it do and how does it work?

It assists you in identifying the resources in your organization and accounts that are shared with an external entity, such as Amazon S3 buckets or IAM roles (AWS accounts, root users, IAM users and roles, federated users, AWS services, anonymous users, and other entities that you can use to create filters are examples of external entities). This allows you to detect unauthorized access to your resources and data, which poses a security risk. Access Analyzer identifies resources shared with external principals by analyzing the resource-based policies in your AWS environment using logic-based reasoning.

Access Analyzer examines the resource-based policies applied to AWS resources in the Region where Access Analyzer is enabled. Access Analyzer does not examine access logs to determine whether a resource within your zone of trust was accessed by an external entity. It generates a finding when a resource-based policy allows access to a resource, even if the resource was not accessed by the external entity. 

When making its determination, Access Analyzer also does not consider the state of any external accounts. That is, even if it indicates that account 0011223344 has access to your S3 bucket, it has no knowledge of the account's users, roles, service control policies (SCP), or other relevant configurations. Access Analyzer does not consider who owns the other account. It's also for security; even if the account isn't owned by the Access Analyzer customer, it's important to know that an external entity could gain access to their resources, even if there are no principals in the account who can access them right now.

Access Analyzer analyzes the following resource types:

  • Amazon Simple Storage Service buckets

  • AWS Identity and Access Management roles

  • AWS Key Management Service keys

  • AWS Lambda functions and layers

  • Amazon Simple Queue Service queues

  • AWS Secrets Manager secrets

Now Let’s Discuss the Findings:

Access Analyzer generates a finding for each instance of a resource shared outside of your account. The findings include details about the access and the external principal who granted it. When you create an analyzer, you choose an organization or AWS account to analyze. Any principal in the organization or account that you choose for the analyzer is considered trusted.

Access Analyzer generates a finding for each instance of a resource-based policy that grants access to a resource within your zone of trust to a principal that is not within your zone of trust. Any sharing that is within the zone of trust is considered safe, so Access Analyzer does not generate a finding.

Now that we have covered all the key terms for the lab, let's carry out the experiment.

Lab Scenario

We have set up the below scenario in our INE labs for our students to practice. The screenshots have been taken from our online lab environment.

Lab Link: Access Analyzer

Objective

Create an Analyzer using the Access Analyzer and find issues (overly permissive permissions) and resolve those issues. 

Solution

Step 1: Click the lab link button to get access credentials. Login to the AWS account with these credentials.

aa1.png

Step 2: Search for “IAM” and navigate to the IAM dashboard.

aa2.png

Step 3: Click on “Access analyzer” from the access reports.

aa3.png


Step 4: Click on “Create analyzer”.

aa4.png

Step 5: Set everything as default and click on “Create analyzer”.

aa5.png


After the successful creation of an access analyzer, it identifies resources shared with external principals by using logic-based reasoning to analyze the resource-based policies in your AWS environment and list them as findings in the active findings table.

Step 6: Click on “Finding ID” of the resource “Secret”. This will list details about the finding.

aa6.png

This finding informs that the resource has been shared with an external AWS account having an id 002763723555.

aa7.png

This page also includes information about the access and the external principal granted to it.

aa8.png

NOTE: Secrets Manager enables you to replace hard coded credentials in your code, including passwords, with an API call to Secrets Manager to retrieve the secret programmatically. This helps ensure the secret can't be compromised by someone examining your code, because the secret no longer exists in the code.

Step 7: Right click on the resource arn and open the link in the new tab. This will make it easier to switch back to the analyzer dashboard.

aa9.png

Step 8: Navigate to the “Resource permissions” and check out the resource policy.

In this resource-based policy, the IAM element Effect specifies whether the statement results in allow or an explicit deny. The IAM Action element defines the actions that are performed with the secret. The IAM Resource element is the secret that the policy is attached to. The IAM Principal element specifies the user with access to perform actions with the secret.

This policy grants full access to the secret for the two AWS accounts. Remove the external AWS account arn and keep the one which has an arn of this account.

aa10.png

Click on “Edit permissions”.

aa11.png

Remove the external AWS account arn from principal.

aa12.png

Click on “Save”.

aa13.png

Now, the access to the secret is only allowed for the current account. Now switch back to the tab which has an access analyzer dashboard.

Step 9: On the finding page, Click on the “Rescan” button to run a scan again in this particular resource.

aa14.png

If the resource is no longer shared outside of your zone of trust, the status of the finding is changed to Resolved. The finding is no longer displayed in the Active findings table, and instead is displayed in the Resolved findings table. Now, the access is removed, the status changed to Resolved.

aa15.png

Step 10: Click on “Finding ID” of the resource “S3 Bucket” which has a name that starts with “lab-zone”. 

aa16.png

NOTE: S3 bucket is an object storage service that offers scalability, data availability, security, and performance. S3 is used to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and restore, archive, enterprise applications, IoT devices, and big data analytics.

Step 11: Right click on the resource arn and open the link in the new tab. This will navigate to the S3 dashboard.

aa17.png

Step 12: Click on Permissions.

Notice the permissions overview section. The access of this bucket is public.

aa18.png

aa19.png

A bucket policy is a resource-based policy that you can use to grant access permissions to your bucket and the objects in it. Only the bucket owner can associate a policy with a bucket. The permissions attached to the bucket apply to all of the objects in the bucket that are owned by the bucket owner.

The following policy grants the Read, Write, List permission to any public anonymous users.

aa20.png

Step 13: Click on “Edit” under block public access.

aa21.png

Step 14: Block all public access by checking the box and click on “Save changes”.

aa22.png

 

Step 15: Enter “confirm” and save the settings.

aa23.png

All public access to the bucket is blocked.

aa24.png

Switch to the tab which has an access analyzer dashboard. 

Step 16: On the finding page, Click on the “Rescan” button to run a scan again in this particular resource.

aa25.png

The access is removed, the status changed to Resolved.

aa26.png

Step 17: Click on “Finding ID” of the resource “S3 Bucket” which has a name that starts with “lab-bucket-ip”. 

aa27.png

Step 18: Right click on the resource arn and open the link in the new tab. This will navigate to the S3 dashboard.

aa28.png

Step 19: Click on “Permissions”.

aa29.png


Step 20: Scroll down to the Block public access section and click on the “Edit” button.

aa30.png

Step 21: Block all public access by checking the box and click on Save changes.

aa31.png

Enter “confirm” and save the settings.

aa32.png

All the public access has been blocked.

aa33.png

The following policy denies permissions to any user to perform  Amazon S3 Read, Write, List operations on objects in the specified S3 bucket unless the request originates from the IP address specified in the condition. This access will work even when you block all the public access to the bucket.

aa34.png

Step 22: Click on “Edit” under bucket policy.

aa35.png

Change the Effect in the policy to “Deny”. This denies permissions to user having the specified IP address to perform Amazon S3 Read, Write, List operations.

aa36.png

Click on “Save changes”.

aa37.png

Switch to the tab which has an access analyzer dashboard.


Step 23: On the finding page, Click on the “Rescan” button to run a scan again in this particular resource.

aa38.png

The access is removed, the status changed to Resolved.

aa39.png


Step 24: Click on “Finding ID” of the resource “IAM Role” with the name “ad_role”.

aa40.png

NOTE: An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it.

Step 25: Right click on the resource arn and open the link in the new tab. This will navigate to the IAM dashboard.

aa41.png

A trust policy is a document in which you define the principals that you trust to assume the role. A role trust policy is a required resource-based policy that is attached to a role in IAM. The principals that you can specify in the trust policy include users, roles, accounts, and services. This is an overly permissive trust policy.

aa42.png

Step 26: Click on “Trust relationships”.

aa43.png

Step 27: Click on “Edit trust policy”.

aa44.png


Step 28: Change the Effect to “Deny”.

This trust policy allows full access to the AWS account and this can be assumed by anyone.

aa45.png

Step 29: Update policy by clicking “Update policy”.

aa46.png

Switch to the tab which has an access analyzer dashboard.

 

Step 30: On the finding page, Click on the “Rescan” button to run a scan again in this particular resource.

aa47.png

The access is removed, the status changed to Resolved.

aa48.png

Step 31: Navigate back to the analyzer dashboard. Click on “Finding ID” of the resource “KMS Key”.

aa49.png

Check the access level granted.

aa50.png

NOTE: AWS Key Management Service (AWS KMS) is an encryption and key management service scaled for the cloud. AWS KMS keys and functionality are used by other AWS services, and you can use them to protect data in your own applications that use AWS.

Step 32: Right click on the resource arn and open the link in the new tab. This will navigate to the KMS dashboard.

aa51.png

AWS Key Management Service (KMS) gives you centralized control over the cryptographic keys used to protect your data. The service is integrated with other AWS services making it easy to encrypt data you store in these services and control access to the keys that decrypt it.

This key policy statement allows all actions (kms:*) to two AWS accounts on the KMS key. Remove the external AWS account from the key policy.

aa52.png

The principal in this key policy statement is the account principal, which is represented by an ARN in this format: arn:aws:iam::account-id:root. The account principal represents the AWS account and its administrators.

Step 33: Remove the external AWS account from the principal and click on “Save changes”.

aa53.png

Switch to the tab which has an access analyzer dashboard. 

Step 34: On the finding page, Click on the “Rescan” button to run a scan again in this particular resource.

aa54.png

The access is removed, the status changed to Resolved.

aa55.png

Step 35: Navigate back to the analyzer dashboard. Select all the findings with the name “TheOracle” and archive the findings.

These findings are generated from an IAM role which was created intentionally for this lab and has no security threats. So archive the findings.

aa56.png

Step 36: Click on “Archive” under the actions.

aa57.png

When you archive a finding, it is removed from Active findings and the status changes to Archived.

aa58.png

Click on “Archived” and navigate to archived findings. 

aa59.png

This will list all the archived findings.

aa60.png

Click on “Resolved” and navigate to resolved findings. 

aa61.png

This will list all the resolved findings.

aa62.png

References:

Conclusion

We saw how to create an Analyzer using the Access Analyzer, find permissions that are overly permissive in nature, and get rid of those permissions.

To perform these tasks hands-on in our lab, subscribe or sign up for a 7-day, risk-free trial with INE to access this lab and a robust library covering the latest in Cyber Security, Networking, Cloud, and Data Science!

Need training for your entire team?

Schedule a Demo

Hey! Don’t miss anything - subscribe to our newsletter!

© 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
Terms of servicePrivacy policy
instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo