Generate Least Privilege Permissions Automatically for Major Cloud Providers
Written on
Chapter 1: The Importance of Least Privilege Permissions
In the realm of cybersecurity, it's crucial that Identity and Access Management (IAM) permissions assigned to users and services adhere to the principle of least privilege. This implies granting only the necessary permissions required to perform specific tasks. However, generating these permissions can be quite labor-intensive, particularly when working with large infrastructure stacks. Often, the need for speed can lead to compromised security.
With the emergence of tools like ChatGPT and other large language models, the process of generating permissions has become more streamlined. Yet, challenges remain regarding the accuracy of the outputs and the risk of exposing sensitive cloud execution scripts when using these models.
iamlive, a tool developed by Ian Mckay, simplifies the automation of least privilege policies for users of various cloud providers' command-line interfaces (CLI), software development kits (SDK), or third-party tools like Terraform. Initially focused solely on AWS, it now also supports Azure and Google Cloud Platform (GCP).
How It Works
iamlive operates by setting up a local proxy server that captures traffic when executing cloud provisioning scripts. It then applies a mapping logic to create a least privilege policy.
Installation Steps
To get started, you can either download the installer from its GitHub releases page or utilize Homebrew if you're on macOS.
brew install iann0036/iamlive/iamlive
# To check the installed version
brew info iamlive
Users who are likely to benefit the most from generating least privilege policies are those utilizing Infrastructure-as-Code (IaC) practices, predominantly with Terraform. For this demonstration, we will showcase a straightforward Terraform script that establishes an AWS Elastic Container Registry (ECR) repository along with a lifecycle policy, while also storing the Terraform state and lock in S3 and DynamoDB.
terraform {
backend "s3" {
region = "ap-southeast-1"
bucket = "s3-jake-terraform-state-store"
key = "jake/test/deploy_project/state"
dynamodb_table = "ddb-jake-terraform-lock"
}
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.42.0"
}
}
required_version = ">= 1.4.5"
}
resource "aws_ecr_repository" "this" {
name = "ecr-test"}
resource "aws_ecr_lifecycle_policy" "this" {
repository = aws_ecr_repository.this.name
policy = <Commands
Running the Tool
To use iamlive, you'll need to open two terminal windows: one for the proxy server and another for the IaC scripts.
# In Terminal 1
iamlive --set-ini --mode=proxy --output-file=policy.json
After executing the command above, nothing will appear until you run your Terraform script in Terminal 2.
# In Terminal 2
export HTTP_PROXY=http://127.0.0.1:10080
export HTTPS_PROXY=http://127.0.0.1:10080
export AWS_CA_BUNDLE=~/.iamlive/ca.pem
Make sure to include the proxy server variables when using AWS. Don’t forget to run terraform init before applying these variables. You can then proceed with commands like terraform plan or terraform apply.
Demonstration
Below are screenshots demonstrating the iamlive tool in action with the Terraform script.
- Set the proxy variables (left) and launch the proxy server (right).
- After executing terraform init, input the proxy variables, then launch iamlive in the opposite terminal.
- When executing terraform plan, the right terminal will automatically generate a policy that allows access to the Terraform state stored in S3 and DynamoDB.
- Upon executing terraform apply, the permissions for creating ECRs will be added.
- After running terraform destroy, the necessary delete permissions will appear.
To conclude, terminate the proxy server by pressing CTRL + C. The generated policy will be saved as policy.json, as indicated in the iamlive command earlier. Don’t forget to unset the environment variables once you're done to avoid issues in future executions.
unset HTTP_PROXY; unset HTTPS_PROXY; unset AWS_CA_BUNDLE
Summary
In my opinion, this tool offers one of the simplest methods to generate least privilege policies for the specified cloud platforms. While it may occasionally produce inaccuracies due to outdated mapping translations, reviewing the generated code is advisable. Including a Sid for each permission set will enhance interpretability. Ultimately, the time saved can amount to hours or even days when securing extensive infrastructures.
Chapter 2: Practical Insights from Videos
This video titled "Speeding Up AWS IAM Least Privileges with Cloudsplaining, Elastic Stack, & AWS Access Analyzer" provides insights on how to expedite the process of creating least privilege permissions using various tools and strategies.
In the second video, "What's new with IAM - from least privilege to organization policies and AI-powered assistance," viewers can learn about the latest updates in IAM and how these changes can enhance security practices.