服务
关于
CloudProse博客
安全和IAM

使用江苏体彩 Config删除多余的IAM访问

瑞安·布朗(Ryan Brown)Trek10
瑞安·斯科特·布朗 | 2018年12月20日

2018年12月20日,星期四

查找和关闭访问漏洞

IAM是受损的江苏体彩凭证和关键基础架构之间的最后一道防线。遵循最小特权原则至关重要。为了增加难度,使用凭证的方式可能会改变。在项目开始时,您可能会认为SES是您与用户交流的方式,但是随着需求的变化,您可能会发现SNS,Pinpoint或其他某些服务更合适。您还记得撤销应用程序上的SES策略吗?

在本文中,我们将讨论一种自动利用新功能的方法 IAM访问顾问 跟踪帐户中用户和角色的IAM权限。

通常可以通过多种来源授予访问权限,包括江苏体彩托管策略,您自己管理的策略或直接附加到用户的内联策略。将可能附加的策略数量与典型的江苏体彩账户中的角色,用户和组数量结合起来,您肯定会丢失一两个证书的撤销。 IAM访问顾问查看有关以下服务的历史数据: 其实 由用户,组或角色使用。这可以帮助您清除不需要的权限。

We’ll learn how to make use of Access Advisor as part of an 江苏体彩 Config rule that will search for unused access that is granted to IAM groups, users, or roles. The 码 is in the trek10inc / config-过度进入驱魔人 资料库。

一致执法

由于江苏体彩中的所有内容都是API,因此我们可以使用新的Access Advisor来一致地检查对所有用户,角色和组的访问。已经有一项服务可帮助您根据江苏体彩最佳做法和您自己的自定义规则查找配置问题。 江苏体彩 Config将监视您的资源是否有更改,并触发规则(自定义或江苏体彩提供的规则)以测试新配置。

要向江苏体彩 Config讲解IAM Access Advisor,我们需要编写我们自己的小Lambda函数,该函数将检查用户,组或角色,并告知其是否具有未使用的权限。这是一个Python函数,我们可以用来获取这些详细信息。还有一些额外的工作可以确保我们得到 所有 服务,因为此API可能仅返回首页,并导致我们错过服务。

def get_iam_last_access_details(iam, arn): '''Retrieves IAM last-accessed details for services the given user/group/role ARN''' job = iam.generate_service_last_accessed_details(Arn=arn) job_id = job['JobId'] marker = None service_results = [] while True: result = iam.get_service_last_accessed_details(JobId=job_id) if result['JobStatus'] == 'IN_PROGRESS': print("Awaiting job") continue elif result['JobStatus'] == 'FAILED': raise Exception(f"Could not get access information for {arn}") else: service_results.extend(paginate_access_details(job_id, result)) break time.sleep(5) return service_results

This list of services has plenty of useful information, but most interesting for us is the LastAuthenticated field. This has the date of the last time a user used the service, like this:

<pre><code>{“ ServiceName”:“简单工作流服务”,“ LastAuthenticated”:“ 2018-08-17 -.....”,“ ServiceNamespace”:“ swf”,“ LastAuthenticatedEntity”:“ .......” ,“ TotalAuthenticatedEntities”:123}</code></pre>

But, if instead of accessing SWF on August 17th, 2018 the user in question had never used SWF at 所有, there won’t be a LastAuthenticated date. We can write some Python that will take the list of services and filter out 所有 the services that have been used.

<pre><code>def never_accessed_services_check(iam,arn):#使用last_access_details函数获取所有服务service_results = get_iam_last_access_details(iam,arn)never_accessed = [x for x in service_results#筛选出具有认证日期的结果(如果未在'LastAuthenticated'中输入x) ]如果len(never_accessed)>0:#哦不!从未访问过某些我们具有返回权限的服务(对于Never_accessed中的x,'NON_COMPLIANT',“ 服务” +','。join(f“'{x ['ServiceNamespace']}'”')已访问”,)返回“ COMPLIANT”,“ IAM实体已访问了所有允许的服务”</code></pre>

This function will take an ARN and a boto3 IAM client and return a COMPLIANT or NON_COMPLIANT status for the resource. That’s the full Python 码 that we need in order to take an ARN, list the user’s access history, and decide whether they have more access than they have needed historically. This is a great tool to find easy ways for us to follow the 最小特权原则 与我们的用户和角色。

从脚本到自定义配置规则

江苏体彩 has a helpful command-line tool available for working with custom 江苏体彩 Config Rules called the “Rule Development Kit” or RDK. It has some default templates for deploying Lambda functions, as well as 码 samples. You can find the Github上的RDK and install it for yourself with pip install rdk. Once it’s installed, I can turn on 江苏体彩 Config from the command line, create new rule 码 in Python (or NodeJS or Java), and deploy my custom 码. To take the rule we’ve made and deploy it, we’ll create a rule called IAM_ALLOWS_UNUSED_SERVICES.

<pre><code>#rdk -r us-east-2创建IAM_ALLOWS_UNUSED_SERVICES \-运行时python3.6 \-资源类型江苏体彩 :: IAM :: Role,江苏体彩 :: IAM :: User,江苏体彩 :: IAM :: Group \-最大频率TwentyFour_HoursRunning创建!创建本地规则文件。</code></pre>

Now we want to put our own 码 into the template, so we’ll open IAM_ALLOWS_UNUSED_SERVICES.py and replace the default evaluate_compliance function with our own.

<pre><code>def evaluate_compliance(event, configuration_item, valid_rule_parameters): '''Put our custom 码 in a separate file so it's easier to pack up with our rule, or share between multiple rules''' import iam_rule_helpers iam = get_client('iam', event) compliance, annotation = iam_rule_helpers.never_accessed_services_check(iam, configuration_item['configuration']['arn']) return build_evaluation_from_config_item( configuration_item, compliance, annotation=annotation )</code></pre>

Because the IAM访问顾问 is such a new feature and iam.generate_service_last_accessed_details is so new in the boto3 SDK, we need to install a newer boto3 so we can use these features in our rule.

<pre><code>#pip install -t IAM_ALLOWS_UNUSED_SERVICES / boto3#rdk -r us-east-2部署IAM_ALLOWS_UNUSED_SERVICES正在运行部署!正在压缩IAM_ALLOWS_UNUSED_SERVICES正在将IAM_ALLOWS_UNUSED_SERVICES上载完成完成,正在将CloudFormation堆栈上的CloudFormation堆栈操作运用于完成...</code></pre>

检查我们的工作

In the 江苏体彩 Config console, once we’ve deployed our rules the 江苏体彩 Config service will list 所有 the IAM Roles, IAM Groups, and IAM Users in the account and run our custom 码 to check whether they have access that’s never been used.

One of the semi-hidden features in 江苏体彩 Config is the little “more information” tool tip on non-compliant resources. It’s a way for our Python 码 to communicate with auditing users about specific issues that are causing the IAM resource to fail our tests.

In this case, we can see the GitlabRunnerRole hasn’t used the s3 permissions that it’s been granted to it. This is a sign that maybe GitLab doesn’t need S3 permissions at 所有, and would be an opportunity to tighten access on that user.

加强访问控制

删除用户的权限可以像添加内联策略一样简单,例如:

<pre><code>{“ Effect”:“ Deny”,“ Action”:“ s3:*”,“ Resource”:“ *”}</code></pre>

When added to our GitlabRunnerRole, that policy statement will remove the extra permissions without needing to edit other policies that might be shared between GitlabRunnerRole and other roles/users.

制定更多规则

除了仅检查从未访问过的服务之外,我们还可以使用Access Advisor数据检查用户是否已停止使用访问权限。可能会有一条规则强制执行,在过去90或180天内已使用允许的访问权限,或者应撤销30天未使用的IAM访问权限。

Access Advisor是与安全相关的信息的金矿,某些撤销可以自动进行,例如12个月内未使用访问权限。拒绝可以作为内嵌策略部署到受影响的角色上,然后在用户提交请求再次授予拒绝权限时手动回退。

Try out the IAM_ALLOWS_UNUSED_SERVICES rule in your own account from the 过度进入驱魔人 Github存储库,或构建其他支票以在您的江苏体彩账户中查找旧策略或过时的策略。

作者
瑞安·布朗(Ryan Brown)Trek10
瑞安·斯科特·布朗