Subscribe to the Blog

Get articles sent directly to your inbox.

TL;DR

Use Cloudrail to scan your IAM policies inside IaC against AWS’s new policy validation API with no additional work. Continuously leverage AWS’s IAM best practices within your IaC workflow within minutes, even as the list of best practices grows over time.

Sign up here to use Cloudrail.

Background

Just recently, AWS announced a welcome, new capability within Access Analyzer – the automatic validation of policies. In the blog post they show examples of how to use the new API, and also credit open source tools, like Parliament, who we mentioned in this blog in the past, with similar capabilities.

When you think about this from an infrastructure-as-code perspective, we often hear users wanting to validate that the IAM policies they build are in line with AWS’s, and others’, best practices. And so, tools like our very own Cloudrail, as well as other tools like checkov, have integrated the automated review of IAM policies into their functionality.

With that said, what can be better than using AWS’s own mechanism for validating policies? Sort of, taking the feedback directly from the source as it were?

Today, I’m excited to announce that we’re the first IaC security tool incorporating AWS’s new policy validation functionality into IaC security analysis. Starting today, Cloudrail will pull the IAM policies out of your IaC code, and pass them to the AWS-provided policy validation tool. Any ERRORs and SECURITY findings (as they are described by AWS’s API) will be caught by one rule, while WARNINGs and SUGGESTIONs will be caught by another.

Related Article  Indeni Cloudrail Case Study: Eating Dogfood and Enjoying it

Let’s see an example

For this Terraform code:

provider "aws" {
  region = "us-east-1"
}

resource "aws_iam_role" "role" {
  name = "role"

  assume_role_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Effect": "Allow",
          "Sid": ""
        }
      ]
    }
EOF
}

resource "aws_iam_role_policy" "allow-policy-1" {
  name = "allow-policy-1"
  role = aws_iam_role.role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "iam:passrole"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

resource "aws_iam_role_policy" "allow-policy-2" {
  name = "allow-policy-2"
  role = aws_iam_role.role.id

  policy = <<-EOF
  {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Action": [
          "lambda:createfunction", "lambda:invokefunc*"
        ],
        "Effect": "Allow",
        "Resource": "*"
      }
    ]
  }
  EOF
}

You will receive these results from Cloudrail:

-----------------------------------------------
Rule: Ensure IAM policies pass Access Analyzer policy validation without WARNING and SUGGESTION issues
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_iam_role.role] (main.tf:5)
     Violating Resource: [aws_iam_role.role]  (main.tf:5)

     Evidence:
         Line 10, Col 17:
             | Add a value to the empty string in the Sid element
             | See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-suggestion-empty-sid-value


-----------------------------------------------
Rule: Ensure IAM policies pass Access Analyzer policy validation without SECURITY and ERROR issues
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_iam_role_policy.allow-policy-1] (main.tf:25)
     Violating Resource: [aws_iam_role_policy.allow-policy-1]  (main.tf:25)

     Evidence:
         Line 6, Col 8:
             | Using the iam:PassRole action with wildcards (*) in the resource can be overly permissive because it allows iam:PassRole permissions on multiple resources
             | We recommend that you specify resource ARNs or add the iam:PassedToService condition key to your statement
             | See https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-reference-policy-checks.html#access-analyzer-reference-policy-checks-security-warning-pass-role-with-star-in-resource

To see this in action, take a look at a video our very own Charles Kim prepared:

Conclusion

To use this new capability, you just need to signup for Cloudrail for free and begin using the tool with your Terraform code. Cloudrail will automatically detect the IAM policies you’re using and send them to AWS’s API for review.

For more examples, see the specific directory for access analyzer in the cloudrail-demo repository.

Related Article  Identifying IAM Configuration Drift