TL;DR – This is a free tool that helps solve one of the biggest security problems when working in AWS. Turn it on. Turn it on now! Instructions are here.
AWS misconfigurations are costly and difficult problems to solve. A lot of what goes wrong in with S3 and IAM policies is the fact that the people who must write them often have no idea how they work. The problem is that there are thousands of AWS permissions. A number of them have limited options in granting specific access. Reasoning about which policies are best in a given situation is going to be exhausting.
Like most difficult cloud problems, someone has already bashed their heads on the keyboard for a solution. There are some open source tools for parsing policies such as PolicyUniverse, and there are tools for detecting misconfigurations like the soon to be deprecated Security Monkey. However, there weren’t many free and naitive options for analyzing IAM Policies for misconfigurations, until now. In previous posts, I’ve gone over how to analyze policies on existing resources using the IAM Policy Simulator and lockdown multiple AWS resources. In this post, I’ll be going over how to enable IAM Access Analyzer and give my thoughts on the usefulness of this tool.
The “how to” for this feature is really simple. From your IAM dashboard:
- Click Access analyzer
- Create Analyzer
- Give it a Name and a few tags if you want
- Click the Create Analyzer Button
As soon as it is created, it will begin scanning the account. For me it took about half an hour to generate findings for a gently used AWS account with several S3 buckets. Your runtime may vary.
This tool offers an easy to access utility for managing IAM policies. This is a problem that anyone who has to manage AWS infrastructure has to worry about. It also provides a complete list of resources to pay attention to. I can imagine having a list of these permissions will be especially useful for our clients who have let their DevOps teams run wild and create unregulated public and cross account resources. According to the official announcement blog, Access Analyzer integrates with Cloudwatch and auto generates critical findings in Security Hub.
There is a lot of good that I see for this tool, but there are some downsides. Like many things in AWS, this tool is region specific, so if you have to manage multiple resources in multiple different regions you have to create a new analyzer for each and every one. Another downside I see is the same problem I find with all security tools that “scan”. There are a number (possibly an overwhelming number in larger deployments) of informational findings and false positives. On your first run with the analyzer you’ll likely need to archive many findings, since Access Analyzer will flag any policy that has all principles (*), cross account access, and any degree of public access.
Unfortunately, there isn’t a single button click that will make your AWS account secure. Users still need to enumerate over policies for each critical resource and create new policies on their own. Integrating security in any system can be a grueling process, but this tool helps make the process a little less ugly. It helps inform you of possible problem areas and gives you a list of action items that you can act on to secure your own environments.
That concludes my review of the IAM Access Analyzer. If you are interested in securing containers on your cloud platform, check out this post on container hacking. We also answer more general questions on penetration testing in our knowledge center. Finally, if you’re looking for a penetration test, training for your organization, or just have general security questions please contact us.