Limiting Blast Radius: Automating AWS IAM using Policy Sentry - Kinnaird McQuade (fwd:cloudsec 2020)

1. Limiting Blast Radius Automating AWS IAM using Policy Sentry @kmcquade3 Kinnaird McQuade, Lead Cloud Security Engineer

2. Kinnaird McQuade Lead Cloud Security Engineer Twitter: @kmcquade3 * Hacker, Builder, dog lover

3. ● Motivation ● Bad IAM Policies ● Secure IAM Policies ● How Policy Sentry solves these Problems ● Demo Agenda

4. ● AWS IAM is difficult to manage, especially at scale ● User roles generally undergo more scrutiny than machine roles (EC2 instance profiles) ● Developers typically define IAM policies for machine roles Motivation ● Machine roles are rich targets for attackers ● In the case of a breach, restricting IAM on machine roles helps to limit the blast radius of those credentials by only giving access to what they need.

5. Resource Constraints { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": "*" }] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::example" }] } Insecure: Wildcard resources More secure: Resource Constraints

6. { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": [ "arn:aws:s3:::example/*" ]}] } { "Version": "2012-10-17", "Statement": [{ "Effect": "Allow", "Action": "s3:*", "Resource": [ "arn:aws:s3:::example/*" ] }] } Access Levels Insecure: All Access Levels More secure: Specific Access Levels

7. AWS Managed Policies Eyeball it Actions: "*" Resources: "*"

8. How do we automate our way out of the problem?

9. ● Open Source CLI tool ● Creates Least Privilege IAM policies in seconds ● Scopes policies down to: ○ Access levels ○ Resource ARNs ● Uses simple YAML templates to generate policies Generate Least-Privilege IAM Policies in seconds Policy Sentry

10. Policy Sentry Templates mode: crud read: -'arn:aws:s3:::example/*' write: -'arn:aws:s3:::example/*'

11. ● “I need Read and Write access to the objects in the S3 bucket called mybucket” ● “I need Tagging access to the secret titled mysecret in us-east-1” Policy Sentry mode: crud read: -'arn:aws:s3:::mybucket/*' write: -'arn:aws:s3:::mybucket/*' mode: crud tagging: -'arn:aws:secretsmanager:u s-east-1:123456789012:secr et:mysecret'

12. Writing Policies - Three easy steps 1. Generate the YAML template policy_sentry create-template --output-file demo.yml --template-type crud 2. Copy and paste ARNs 3. Run the write-policy command policy_sentry write-policy --input-file demo.yml mode: crud read: -'arn:aws:s3:::mybucket/*' write: -'arn:aws:s3:::mybucket/*'

13. { "Version": "2012-10-17", "Statement": [{ "Sid": "SsmReadParameter", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameterHistory", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:us-east-1:123456789012:pa rameter/myparameter" }] }

14. Demo time! https://github.com/salesforce/policy_sentry/

15. How Policy Sentry Works Leveraging the AWS Documentation on Actions, Resources, and Condition Keys Actions Access Level Resource Type ssm:DescribeParameters List * ssm:DescribeDocument Read document ssm:GetParameter Read parameter ssm:GetParametersByPath Read parameter ssm:PutParameter Write parameter Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html

16. How Policy Sentry Works Leveraging the AWS Documentation on Actions, Resources, and Condition Keys Actions Access Level Resource Type ssm:DescribeParameters List * ssm:DescribeDocument Read document ssm:GetParameter Read parameter ssm:GetParametersByPath Read parameter ssm:PutParameter Write parameter Policy Sentry auto-selects the proper Access Levels and Resource Types to determine the necessary actions, based on user input. Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html

17. { "Version": "2012-10-17", "Statement": [{ "Sid": "SsmReadParameter", "Effect": "Allow", "Action": [ "ssm:GetParameter", "ssm:GetParameterHistory", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "arn:aws:ssm:us-east-1:123456789012:parame ter/myparameter" }]} mode: crud read: -'arn:aws:ssm:us-east-1:12345678 9012:parameter/myparameter' Input: Output:

18. ● Process: 1. Generate the Template file 2. Copy/paste ARNs 3. Run command to write the policy ● Policy Sentry… ○ Speeds up time to develop IAM policies ○ Abstracts the complexity of IAM ○ Auditable, repeatable, store in version control ○ You don’t need to be an IAM expert to use it ○ Developer friendly - just paste into YAML! Recap https://github.com/salesforce/policy_sentry/

19. ● DevOps Engineers ● Director/Senior Manager for IAM ● Infrastructure Security Engineers ● Threat/Vulnerability Management ● Penetration Testing ● Security Architects ● ...much more ● DM me on Twitter or the Cloud Security Forum Slack if you are interested ○ https://twitter.com/kmcquade3 PS: We’re hiring! https://github.com/salesforce/policy_sentry/

21. Questions? https://github.com/salesforce/policy_sentry/

Limiting Blast Radius: Automating AWS IAM using Policy Sentry - Kinnaird McQuade (fwd:cloudsec 2020)

Limiting Blast Radius: Automating AWS IAM using Policy Sentry - Kinnaird McQuade (fwd:cloudsec 2020)

Recommended

More Related Content

Recently uploaded

Recently uploaded(20)

Featured

Featured(20)

Limiting Blast Radius: Automating AWS IAM using Policy Sentry - Kinnaird McQuade (fwd:cloudsec 2020)