Blog

How to Grant Least Privileged Permissions to AWS Principles

Convenience vs security — the eternal dilemma…

Image for post
{
 "Version": "2012-10-17",
   "Statement": [
       {
         "Effect": "Allow",
         "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Resource": "arn:aws:s3:::your-bucket-name-goes-here/*"
       }
   ]
}
- Launch instance - Start/Stop instance- Modify instance type- Modify EBS properties- Create EC2 Tags- Create snapshots- Terminate instance

Image for post

Example of AWS managed policy
"Statement": [
  {
    "Action": "ec2:*",
    "Effect": "Allow",
    "Resource": "*"
  }
]
ec2:AssociateIamInstanceProfile
# aws sts decode-authorization-message — encoded-message “Your encoded message goes here”

Image for post

Example of authorization failure message
“DecodedMessage”: “{”allowed”:false,”explicitDeny”:false,”matchedStatements”:{”items”:[]},”failures”:{”items”:[]},”context”:{”principal”:{”id”:”AROAYMDKORDTCPU2UUFKE:[email protected]”,”arn”:”arn:aws:sts::hidden-info:assumed-role/AWSReservedSSO_Some-Team_5a6a4b964d824ffd/[email protected]”},”action”:”ec2:RebootInstances”,”resource”:”arn:aws:ec2:sa-east-1:hidden-info:instance/i-0f0cbd365xxxxxxxx”,”conditions”:{”items”:[{”key”:”ec2:MetadataHttpPutResponseHopLimit”,”values”:{”items”:[{”value”:”1”}]}},{”key”:”ec2:InstanceMarketType”,”values”:{”items”:[{”value”:”on-demand”}]}},{”key”:”aws:Account”,”values”:{”items”:[{”value”:”hidden-info”}]}},{”key”:”ec2:AvailabilityZone”,”values”:{”items”:[{”value”:”sa-east-1c”}]}},{”key”:”ec2:ResourceTag/Name”,”values”:{”items”:[{”value”:”hidden-info”}]}},{”key”:”ec2:InstanceType”,”values”:{”items”:[{”value”:”m5.2xlarge”}]}},{”key”:”hidden-info:Phase”,”values”:{”items”:[{”value”:”1”}]}},{”key”:”aws:Region”,”values”:{”items”:[{”value”:”sa-east-1”}]}},{”key”:”aws:Service”,”values”:{”items”:[{”value”:”ec2”}]}},{”key”:”ec2:MetadataHttpTokens”,”values”:{”items”:[{”value”:”optional”}]}},{”key”:”aws:Type”,”values”:{”items”:[{”value”:”instance”}]}},{”key”:”ec2:Tenancy”,”values”:{”items”:[{”value”:”default”}]}},{”key”:”hidden-info:Name”,”values”:{”items”:[{”value”:”hidden-info”}]}},{”key”:”hidden-info:Customer”,”values”:{”items”:[{”value”:”Energisa”}]}},{”key”:”ec2:ResourceTag/Phase”,”values”:{”items”:[{”value”:”1”}]}},{”key”:”ec2:ResourceTag/ServerType”,”values”:{”items”:[{”value”:”North”}]}},{”key”:”aws:Resource”,”values”:{”items”:[{”value”:”instance/i-0f0cbd36xxxxxxx”}]}},{”key”:”ec2:ebsOptimized”,”values”:{”items”:[{”value”:”true”}]}},{”key”:”ec2:RootDeviceType”,”values”:{”items”:[{”value”:”ebs”}]}},{”key”:”ec2:InstanceProfile”,”values”:{”items”:[{”value”:”arn:aws:iam::hidden-info:instance-profile/automation-ec2-to-s3-access”}]}},{”key”:”ec2:MetadataHttpEndpoint”,”values”:{”items”:[{”value”:”enabled”}]}},{”key”:”hidden-info:Stage”,”values”:{”items”:[{”value”:”Customer_success”}]}},{”key”:”ec2:InstanceID”,”values”:{”items”:[{”value”:”i-0f0cbd365dxxxxxx”}]}},{”key”:”ec2:ResourceTag/Stage”,”values”:{”items”:[{”value”:”Customer_success”}]}},{”key”:”ec2:ResourceTag/Customer”,”values”:{”items”:[{”value”:”Energisa”}]}},{”key”:”ec2:Region”,”values”:{”items”:[{”value”:”sa-east-1”}]}},{”key”:”hidden-info:ServerType”,”values”:{”items”:[{”value”:”North”}]}},{”key”:”aws:ARN”,”values”:{”items”:[{”value”:”arn:aws:ec2:sa-east-1:hidden-info:instance/i-0f0cbd365xxxxxxx”}]}}]}}}”
“action”:”ec2:RebootInstances

Summary

Use condition-based restrictions

{
   "Sid": "DenyIrelandRegion",
   "Effect": "Deny",
   "Action": "ec2:*",
   "Resource": "*",
   "Condition": {
      "StringEquals": {
          "aws:RequestedRegion": "eu-west-1"
      }
   }
}
{
   "Sid": "DenyProdEnvAccess",
   "Effect": "Deny",
   "Action": "ec2:*",
   "Resource": "*",
   "Condition": {
      "StringEquals": {
        "aws:ResourceTag/Environment": "Prod"
      }
   }
}

Artiom Levinton is Head of DevOps at XM Cyber

Related Topics

mxcyber

See all ways we can help you

See what attackers see, so you can stop them from doing what attackers do.