How to Grant Least Privileged Permissions to AWS Principles

Convenience vs security — the eternal dilemma…

Image for post
{
 "Version": "2012-10-17",
   "Statement": [
       {
         "Effect": "Allow",
         "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
         ],
         "Resource": "arn:aws:s3:::your-bucket-name-goes-here/*"
       }
   ]
}
- Launch instance - Start/Stop instance- Modify instance type- Modify EBS properties- Create EC2 Tags- Create snapshots- Terminate instance

Image for post

Example of AWS managed policy
"Statement": [
  {
    "Action": "ec2:*",
    "Effect": "Allow",
    "Resource": "*"
  }
]
ec2:AssociateIamInstanceProfile
# aws sts decode-authorization-message — encoded-message “Your encoded message goes here”

Image for post

Example of authorization failure message
“DecodedMessage”: “{\”allowed\”:false,\”explicitDeny\”:false,\”matchedStatements\”:{\”items\”:[]},\”failures\”:{\”items\”:[]},\”context\”:{\”principal\”:{\”id\”:\”AROAYMDKORDTCPU2UUFKE:[email protected]\”,\”arn\”:\”arn:aws:sts::hidden-info:assumed-role/AWSReservedSSO_Some-Team_5a6a4b964d824ffd/[email protected]\”},\”action\”:\”ec2:RebootInstances\”,\”resource\”:\”arn:aws:ec2:sa-east-1:hidden-info:instance/i-0f0cbd365xxxxxxxx\”,\”conditions\”:{\”items\”:[{\”key\”:\”ec2:MetadataHttpPutResponseHopLimit\”,\”values\”:{\”items\”:[{\”value\”:\”1\”}]}},{\”key\”:\”ec2:InstanceMarketType\”,\”values\”:{\”items\”:[{\”value\”:\”on-demand\”}]}},{\”key\”:\”aws:Account\”,\”values\”:{\”items\”:[{\”value\”:\”hidden-info\”}]}},{\”key\”:\”ec2:AvailabilityZone\”,\”values\”:{\”items\”:[{\”value\”:\”sa-east-1c\”}]}},{\”key\”:\”ec2:ResourceTag/Name\”,\”values\”:{\”items\”:[{\”value\”:\”hidden-info\”}]}},{\”key\”:\”ec2:InstanceType\”,\”values\”:{\”items\”:[{\”value\”:\”m5.2xlarge\”}]}},{\”key\”:\”hidden-info:Phase\”,\”values\”:{\”items\”:[{\”value\”:\”1\”}]}},{\”key\”:\”aws:Region\”,\”values\”:{\”items\”:[{\”value\”:\”sa-east-1\”}]}},{\”key\”:\”aws:Service\”,\”values\”:{\”items\”:[{\”value\”:\”ec2\”}]}},{\”key\”:\”ec2:MetadataHttpTokens\”,\”values\”:{\”items\”:[{\”value\”:\”optional\”}]}},{\”key\”:\”aws:Type\”,\”values\”:{\”items\”:[{\”value\”:\”instance\”}]}},{\”key\”:\”ec2:Tenancy\”,\”values\”:{\”items\”:[{\”value\”:\”default\”}]}},{\”key\”:\”hidden-info:Name\”,\”values\”:{\”items\”:[{\”value\”:\”hidden-info\”}]}},{\”key\”:\”hidden-info:Customer\”,\”values\”:{\”items\”:[{\”value\”:\”Energisa\”}]}},{\”key\”:\”ec2:ResourceTag/Phase\”,\”values\”:{\”items\”:[{\”value\”:\”1\”}]}},{\”key\”:\”ec2:ResourceTag/ServerType\”,\”values\”:{\”items\”:[{\”value\”:\”North\”}]}},{\”key\”:\”aws:Resource\”,\”values\”:{\”items\”:[{\”value\”:\”instance/i-0f0cbd36xxxxxxx\”}]}},{\”key\”:\”ec2:ebsOptimized\”,\”values\”:{\”items\”:[{\”value\”:\”true\”}]}},{\”key\”:\”ec2:RootDeviceType\”,\”values\”:{\”items\”:[{\”value\”:\”ebs\”}]}},{\”key\”:\”ec2:InstanceProfile\”,\”values\”:{\”items\”:[{\”value\”:\”arn:aws:iam::hidden-info:instance-profile/automation-ec2-to-s3-access\”}]}},{\”key\”:\”ec2:MetadataHttpEndpoint\”,\”values\”:{\”items\”:[{\”value\”:\”enabled\”}]}},{\”key\”:\”hidden-info:Stage\”,\”values\”:{\”items\”:[{\”value\”:\”Customer_success\”}]}},{\”key\”:\”ec2:InstanceID\”,\”values\”:{\”items\”:[{\”value\”:\”i-0f0cbd365dxxxxxx\”}]}},{\”key\”:\”ec2:ResourceTag/Stage\”,\”values\”:{\”items\”:[{\”value\”:\”Customer_success\”}]}},{\”key\”:\”ec2:ResourceTag/Customer\”,\”values\”:{\”items\”:[{\”value\”:\”Energisa\”}]}},{\”key\”:\”ec2:Region\”,\”values\”:{\”items\”:[{\”value\”:\”sa-east-1\”}]}},{\”key\”:\”hidden-info:ServerType\”,\”values\”:{\”items\”:[{\”value\”:\”North\”}]}},{\”key\”:\”aws:ARN\”,\”values\”:{\”items\”:[{\”value\”:\”arn:aws:ec2:sa-east-1:hidden-info:instance/i-0f0cbd365xxxxxxx\”}]}}]}}}”
“action”:”ec2:RebootInstances

Summary

Use condition-based restrictions

{
   "Sid": "DenyIrelandRegion",
   "Effect": "Deny",
   "Action": "ec2:*",
   "Resource": "*",
   "Condition": {
      "StringEquals": {
          "aws:RequestedRegion": "eu-west-1"
      }
   }
}
{
   "Sid": "DenyProdEnvAccess",
   "Effect": "Deny",
   "Action": "ec2:*",
   "Resource": "*",
   "Condition": {
      "StringEquals": {
        "aws:ResourceTag/Environment": "Prod"
      }
   }
}

Artiom Levinton is Head of DevOps at XM Cyber