My Secret to Faster IAM Policy Reviews

No, I'm not talking about AWS IAM Policy Simulator or some AI tool

Author

Chandrapal Badshah
June 13, 2024

Can you review this IAM policy for one last time?” - asked the enthusiastic engineer for the tenth time.

Sure, I can,” I said.

Automated tools often lack business context, so you might need a manual review. However, reviewing IAM Policies (default and inline) can be overwhelming, especially with constant policy review requests.

Understanding effective permissions of IAM Policies takes time and effort - especially those policies that use advanced elements like NotResource and NotAction.

I stumbled across one website that changed the game for me and drastically reduced the time to review any policy manually.

It's a website that helps understand IAM permissions and simplifies the process of evaluating IAM policies. The best part is that it supports AWS, Azure, and GCP.

Features that stand out on this website:

  • Simple UI

  • Policy Evaluator - breaks down complex IAM policies into effective actions list.

  • Tags to highlight possible risky permissions - credentials exposure, resource exposure, data access

  • It’s free

Times when Permissions.Cloud Saved Me

The seemingly harmless Get* action

I was reviewing a policy that looked like the following: 

{
    "Version": "2012-10-17",
    "Statement": [
        {
          "Effect": "Allow",
          "Action": [
              "lightsail:Get*"
          ],
          "Resource": ["*"]
        }
    ]
}

Lightsail was a service I didn’t know much about. The default instinct was lightsail:Get* looks fine. I evaluated the policy in permissions.cloud and found that there’s a permission that grants the DB Master password: lightsail:GetRelationalDatabaseMasterUserPassword 😅 

Granting Access to External Cloud Pentesters and Auditors

During external cloud pentests and audits, there’s always a debate on whether they need a ReadOnly policy (instead of SecurityAudit or ViewOnly).

Some vendors try to play it smart by creating a customized version of ReadOnly and granting read access to critical data resources. The custom policy can still access data in S3 buckets, DB backups, etc.

What would be my solution?

You probably guessed it right. I used permission.cloud’s policy evaluator to understand the access they request.

This website is one tool in my cloud security arsenal. Go ahead, check the website, and bookmark it - https://permissions.cloud.

If you found this email useful, please forward it to your friends and colleagues who are interested in cloud security.

Until next time 👋