Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Limiting Blast Radius: Automating AWS IAM using Policy Sentry - Kinnaird McQuade (fwd:cloudsec 2020)

143 views

Published on

Infrastructure engineers often find themselves in situations where they create over-permissive IAM policies to get their jobs done and because writing least-privilege IAM policies is unnecessarily complex. However, in the case of a breach, it is critical to limit the blast radius of compromised credentials by only giving IAM principals access to what they need.

Policy Sentry - open-sourced in 2019 by Salesforce - writes least-privilege IAM policies with resource constraints in a matter of seconds, rather than tediously writing insecure IAM policies by hand. These policies are scoped down according to access levels and resource ARNs. In the case of a breach, this helps to limit the blast radius of compromised credentials by only giving IAM principals access to what they need.

Before this tool, it could take hours to craft an IAM Policy with resource ARN constraints — but now it can take a matter of seconds. This way, developers only have to determine the access levels and resources that they need to access, and Policy Sentry abstracts the complexity of IAM policies away from their development processes.

In this talk, you’ll learn how to use Policy Sentry. You will leave with practical knowledge about how to uplift and automate IAM security for your entire organization.

Published in: Software
  • Be the first to comment

  • Be the first to like this

Limiting Blast Radius: Automating AWS IAM using Policy Sentry - Kinnaird McQuade (fwd:cloudsec 2020)

  1. 1. Limiting Blast Radius Automating AWS IAM using Policy Sentry @kmcquade3 Kinnaird McQuade, Lead Cloud Security Engineer
  2. 2. Kinnaird McQuade Lead Cloud Security Engineer Twitter: @kmcquade3 * Hacker, Builder, dog lover
  3. 3. ● Motivation ● Bad IAM Policies ● Secure IAM Policies ● How Policy Sentry solves these Problems ● Demo Agenda
  4. 4. ● AWS IAM is difficult to manage, especially at scale ● User roles generally undergo more scrutiny than machine roles (EC2 instance profiles) ● Developers typically define IAM policies for machine roles Motivation ● Machine roles are rich targets for attackers ● In the case of a breach, restricting IAM on machine roles helps to limit the blast radius of those credentials by only giving access to what they need.
  5. 5. Resource Constraints { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*" }] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::example" }] } Insecure: Wildcard resources More secure: Resource Constraints
  6. 6. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::example/*" ]}] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::example/*" ] }] } Access Levels Insecure: All Access Levels More secure: Specific Access Levels
  7. 7. AWS Managed Policies Eyeball it Actions: "*" Resources: "*"
  8. 8. How do we automate our way out of the problem?
  9. 9. ● Open Source CLI tool ● Creates Least Privilege IAM policies in seconds ● Scopes policies down to: ○ Access levels ○ Resource ARNs ● Uses simple YAML templates to generate policies Generate Least-Privilege IAM Policies in seconds Policy Sentry
  10. 10. Policy Sentry Templates mode: crud read: -'arn:aws:s3:::example/*' write: -'arn:aws:s3:::example/*'
  11. 11. ● “I need Read and Write access to the objects in the S3 bucket called mybucket” ● “I need Tagging access to the secret titled mysecret in us-east-1” Policy Sentry mode: crud read: -'arn:aws:s3:::mybucket/*' write: -'arn:aws:s3:::mybucket/*' mode: crud tagging: -'arn:aws:secretsmanager:u s-east-1:123456789012:secr et:mysecret'
  12. 12. Writing Policies - Three easy steps 1. Generate the YAML template policy_sentry create-template --output-file demo.yml --template-type crud 2. Copy and paste ARNs 3. Run the write-policy command policy_sentry write-policy --input-file demo.yml mode: crud read: -'arn:aws:s3:::mybucket/*' write: -'arn:aws:s3:::mybucket/*'
  13. 13. { "Version": "2012-10-17", "Statement": [{ "Sid": "SsmReadParameter", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameterHistory", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:us-east-1:123456789012:pa rameter/myparameter" }] }
  14. 14. Demo time! https://github.com/salesforce/policy_sentry/
  15. 15. How Policy Sentry Works Leveraging the AWS Documentation on Actions, Resources, and Condition Keys Actions Access Level Resource Type ssm:DescribeParameters List * ssm:DescribeDocument Read document ssm:GetParameter Read parameter ssm:GetParametersByPath Read parameter ssm:PutParameter Write parameter Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html
  16. 16. How Policy Sentry Works Leveraging the AWS Documentation on Actions, Resources, and Condition Keys Actions Access Level Resource Type ssm:DescribeParameters List * ssm:DescribeDocument Read document ssm:GetParameter Read parameter ssm:GetParametersByPath Read parameter ssm:PutParameter Write parameter Policy Sentry auto-selects the proper Access Levels and Resource Types to determine the necessary actions, based on user input. Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html
  17. 17. { "Version": "2012-10-17", "Statement": [{ "Sid": "SsmReadParameter", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameterHistory", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:us-east-1:123456789012:parame ter/myparameter" }]} mode: crud read: -'arn:aws:ssm:us-east-1:12345678 9012:parameter/myparameter' Input: Output:
  18. 18. ● Process: 1. Generate the Template file 2. Copy/paste ARNs 3. Run command to write the policy ● Policy Sentry… ○ Speeds up time to develop IAM policies ○ Abstracts the complexity of IAM ○ Auditable, repeatable, store in version control ○ You don’t need to be an IAM expert to use it ○ Developer friendly - just paste into YAML! Recap https://github.com/salesforce/policy_sentry/
  19. 19. ● DevOps Engineers ● Director/Senior Manager for IAM ● Infrastructure Security Engineers ● Threat/Vulnerability Management ● Penetration Testing ● Security Architects ● ...much more ● DM me on Twitter or the Cloud Security Forum Slack if you are interested ○ https://twitter.com/kmcquade3 PS: We’re hiring! https://github.com/salesforce/policy_sentry/
  20. 20. Questions? https://github.com/salesforce/policy_sentry/

×