AWS Cloud Operations Blog
Continuous permissions rightsizing to ensure least privileges in AWS using CloudKnox and AWS Config
This blog post was contributed by Kanishk Mahajan, AWS and Maya Neelakandhan, CloudKnox
As you migrate your workloads to the cloud or operate your existing workloads in the cloud it would be ideal if every application was deployed with the exact permissions that it required. In practice, however, the effort required to determine the precise permissions required for each application in the cloud is expensive and doesn’t scale. This is due to two reasons. First, the number of permissions available is very large. In AWS we have thousands of AWS Identity and Access Management (IAM) permissions. Second, when compared to traditional on premise environments, cloud resources can be dynamic and automatically scaled to meet demand.
The principle of least privilege is a security best practice that aims to grant users only with the specific permissions to perform required tasks. AWS environments where IAM users and roles have broad permissions that they are not using can lead to insider threats and breaches. To deliver on the promise of business agility in the cloud, we need an approach that balances developer freedom and velocity with security best practices.
In this blog post, we describe a native AWS solution that we have built that is based on an authorization model for user access that we are calling “activity based access control”. In this authorization model, our solution continuously records and evaluates user access in AWS and then automates the rightsizing of IAM permissions in real time for that user. Users are granted permissions based on what they need to do in their job on a regular basis instead of all the permissions that they might possibly need. Additional permissions can be granted on demand only when users need them.
CloudKnox is an APN Advanced-tier partner. Their SaaS solution available from AWS Marketplace provides continuous monitoring and profiling of permissions granted to IAM users and roles. CloudKnox SaaS provides an API that continuously records and updates a “Privilege Creep Index” (PCI) score for AWS usage. CloudKnox defines a “privilege creep” as the gradual accumulation of access rights beyond what a user needs for their assigned job functions. The PCI score for an AWS account provides a gauge of the incurred risk in AWS due to the number of users with access to a broad set of permissions that they are not actively using. For each user in an AWS account, the CloudKnox SaaS calculates and updates:
- The number of permissions that a user has been granted that are not being actively used.
- The number of resources that a user has access to, otherwise known as resource reach.
If an AWS account has a high number of such users then a high PCI score is assigned to that account.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations. It allows you to automate the evaluation of recorded configurations against desired configurations. Sometimes these desired configurations require you to evaluate third-party solutions that do not reside in AWS services.
We use AWS Config in our solution to continuously monitor and record every IAM user in an AWS account. We evaluate the desired configuration of the IAM user against the CloudKnox PCI score that is continuously calculated and updated for that IAM user. We do this by creating a custom AWS Config rule that uses a CloudKnox PCI score. If the PCI score for an IAM user is above a certain threshold then AWS Config marks the user as noncompliant and triggers a remediation action in real time. The remediation action uses an AWS Systems Manager Automation document that, in turn, invokes the CloudKnox Just Enough Privileges (JEP) controller through a REST API. The JEP controller delivers an appropriately scoped IAM policy for the user based on the user’s previous activity. AWS Config remediation then automatically provisions that IAM policy for the user.
Solution overview
AWS Config provides customizable, predefined rules called managed rules. You can also create your own rules to provide customized evaluation logic or integrate with third-party solutions. While AWS Config continuously tracks the configuration changes that occur among your resources, it checks whether these changes violate any of the conditions in your rules. If a resource violates a rule, AWS Config flags the resource and the rule as noncompliant. AWS Config also provides a framework for remediation actions. It is implemented through AWS Systems Manager Automation and provides logic to remediate the noncompliant resource.
Our solution implements a custom AWS Config rule using the AWS Config Rule Development Kit and CloudKnox REST API. This rule continuously records and evaluates IAM users against the CloudKnox PCI score that is continuously calculated and updated by CloudKnox. We implement an AWS Systems Manager Automation document that invokes an AWS Lambda function. The Lambda function integrates with the CloudKnox JEP controller through a REST API and retrieves the IAM policy based on the user’s activity and PCI score. The Lambda function then applies the IAM policy to the noncompliant IAM user.
In our solution, the remediation action from AWS Systems Manager is defined using the AWS: Config:RemediationConfiguration
resource type. It is linked to the custom AWS Config rule that calculates the PCI score for the user. In this way, we provide continuous real-time scoping of permissions for the user as soon as AWS Config records and evaluates a noncompliant IAM user.
Our entire solution is automated for one-click deployment using the AWS Config RDK. It deploys the custom AWS Config rule and automates the entire configuration with AWS CloudFormation.
Figure 1 shows the request flow for our solution.
- A custom AWS Config rule uses the AWS Config RDK and CloudKnox REST API to record and evaluate a CloudKnox PCI score for every IAM user in your AWS account.
- If the CloudKnox PCI score is high (in the range of 60 or higher), AWS Config triggers an automated remediation in real time using AWS Systems Manager Automation.
- The AWS Systems Manager Automation document invokes an AWS Lambda function for adjusting the permissions of an IAM user with a high PCI score.
- The AWS Lambda function invokes the JEP controller REST API to retrieve the appropriately scoped IAM policy for the user based on the user’s previous activity.
- The AWS Lambda function provisions the retrieved IAM policy for the user and adjusts the user’s permissions.
Figure 1: Continuous permissions rightsizing to ensure least privileges in AWS using CloudKnox and AWS Config
Solution components
The full solution is available for download and install in our GitHub repo and consists of the following components:
AWS CloudFormation templates:
- aws-cloudknox-prereq.yml
- Provisions AWS Secrets Manager with CloudKnox credentials required for CloudKnox REST API access.
- Provisions prerequisites required for AWS Systems Manager Automation, specifically the AWS Systems Manager Automation assume role and the Amazon Simple Storage Service (Amazon S3 bucket) to host the CloudKnox_IAMRightsize.py Lambda function
- aws-cloudknox-configremediation.yml
- Provisions the CloudKnox_IAMRightsize.py Lambda function that invokes the CloudKnox JEP controller API.
- Provisions the AWS Systems Manager Automation document that invokes the AWS Lambda function.
- Provisions an AWS Config remediation action that uses the AWS Systems Manager Automation document.
- Provisions the AWS Config rule that uses the AWS Config remediation action.
AWS Lambda functions:
-
- Uses the AWS Config RDK that automatically creates and generates the boilerplate code required for the custom AWS Config rule.
- Uses the evaluate_compliance method of the generated code to access the AWS Config configuration item (CI), which is the IAM user.
- Provides custom logic to retrieve CloudKnox credentials from AWS Secrets Manager and invoke the CloudKnox REST API to retrieve the PCI score for the IAM user.
-
- Retrieves CloudKnox credentials from AWS Secrets Manager.
- Retrieves the IAM user as a parameter from the AWS Systems Manager Automation document. The document is triggered in real time by the AWS Config remediation action.
- Invokes the CloudKnox JEP controller through the REST API to retrieve the appropriate IAM policy for the user.
- Provisions the IAM policy for the IAM user.
For more information, see the readme on GitHub.
Walkthrough
This section describes the prerequisites and steps required for you to set up and deploy the solution. It also provides you with a demonstration of how the solution works when you review your findings.
Prerequisites
CloudKnox related prerequisites
- If you don’t have an existing CloudKnox account, then sign up with CloudKnox to create an account. The signup process will send you an email to confirm and register your account.
- Next login to the CloudKnox portal and from the main dashboard on the CloudKnox portal, select the ‘Deploy’ button on the Data Collectors tab which opens an instruction window with a deployment guide. Follow the steps in the deployment guide to provision the AWS CloudFormation template that installs the CloudKnox Sentry appliance in your AWS account.
- Finally, sign in to the CloudKnox API Integrations console and choose Generate New Key. Make a note of the generated access key, secret key, and service account ID.
AWS related prerequisites
- If AWS Config is not enabled in your account, then follow the steps to enable AWS Config.
- Navigate to the AWS CloudFormation console, and then launch the aws-cloudknox-prereq.yml.
- For more information, see Starting the Create Stack wizard in the AWS CloudFormation User Guide.
- In the Parameters section, enter the access key, secret key, and service account ID that were obtained from the previous step for CloudKnox related prerequisites. Accept the default values for this template.
- The aws-cloudknox-prereq.yml template creates an Amazon S3 bucket with the following name:
s3-cloudknoxiamuserrightsize-<AccountId>-<Region>
where <AccountId> is your account ID and <Region> is the AWS Region where you have deployed this template. In this bucket, create a folder named CloudKnox_IAMRightsize. Follow the steps to create a folder in a S3 bucket and then upload the CloudKnox_IAMRightsize.zip file there.
Solution setup
These two steps automate the setup and deployment of our solution:
Step 1: Setup the custom AWS Config rule to evaluate the CloudKnox PCI score for the IAM user.
- We will use the AWS Cloud9 cloud based Integrated Development Environment (IDE) to install and configure the AWS Config RDK for our use case. Follow the steps to install and set up an AWS Cloud 9 EC2 environment in the same region where AWS Config was enabled in the prerequisites step. Accept all default values. Ensure that the Platform selected is Amazon Linux 2.
- Follow the steps below to install, initialize, create and deploy the custom AWS Config rule using the RDK in the AWS Cloud9 environment:
sudo pip install rdk
export AWS_DEFAULT_REGION=<Region>
. Substitute <Region> with the AWS Region where AWS Config was enabled in the prerequisites step.rdk init
rdk create CLOUDKNOX_PCI --runtime python3.7 --resource-types AWS::IAM::User
- Step 4 creates a rule directory called CLOUDKNOX_PCI and places a boilerplate AWS Config rule in that directory. Replace all the files (CLOUDKNOX_PCI.py, CLOUDKNOX_PCI_test.py and parameters.json) in your rule directory with the corresponding files from the configrule folder in our GitHub repo.
- Finally deploy the rule:
rdk deploy CLOUDKNOX_PCI
- Search for the IAM role that starts with the prefix CLOUDKNOXPCI-rdkLambdaRole and attach an IAM policy that grants it the
secretsmanager:GetSecretValue
permission. Follow these instructions for modifying an IAM role to attach permissions to the role.
Step 2: Setup the custom AWS Config remediation to perform permissions rightsizing for the IAM user
In the AWS CloudFormation console, follow the steps in the AWS CloudFormation User Guide to launch the aws-cloudknox-configremediation.yml template. In the Parameters section, for <AccountId> and <Region>, use the AWS account ID and AWS Region where you have deployed this template.
Validate continuous permissions rightsizing
Now that your deployment is complete, you can view the overall PCI score for your AWS environment from the CloudKnox console. Sign in to your CloudKnox portal and select the Dashboard tab. In our AWS account, we find that CloudKnox is tracking 14 identities (IAM roles, IAM users, and AWS services). Figure 2 shows that based on their current usage, the overall PCI score for our AWS account is high (96).
Figure 2: Overall PCI score for our AWS environment
To view your compliance findings, navigate to the AWS Config console. Choose the same AWS Region where you deployed the CloudFormation template. From the left pane, choose Rules to display the current list of rules in your account. You can see that the CLOUDKNOX_PCI rule is currently configured in your account. The CLOUDKNOX_PCI rule also has an attached AWS Systems Manager Automation document with a Custom-CloudKnoxIAMUserRightsizing
remediation action. Figure 3 from our AWS account shows the CLOUDKNOX_PCI rule has two noncompliant resources.
Figure 3: CLOUDKNOX_PCI custom rule with attached remediation action shows two noncompliant resources
Next when you click on the Rule name, you can see the details of the custom AWS Config rule that retrieves the CloudKnox PCI score for IAM users in your account. When you hover over the information icon, you can see the CloudKnox PCI score for the noncompliant IAM user. In our account we also see that the remediation action is automatically queued for execution for each noncompliant IAM user.
Figure 4: AWS Config triggers a remediation action for noncompliant users
Finally from the AWS Config console under the same Rule details tab you can see that the AWS Config remediation action has successfully completed the IAM remediation for each noncompliant IAM user. When the custom AWS Config rule retrieves the PCI score from CloudKnox on the next evaluation, there are no more noncompliant users. This process happens continuously.
Figure 5: AWS Config remediation action successfully executed for each noncompliant IAM user
You can also view the new overall PCI score for your AWS environment from the CloudKnox dashboard. You’ll see that CloudKnox has now calculated a low overall PCI score of 11 for the AWS account.
Figure 6: Lower overall PCI score for our AWS environment
Conclusion
In this blog post, we have described a solution that provides continuous profiling of IAM usage with automated adjustments of permissions using AWS Config and CloudKnox. Our solution enforces the principle of least privilege in AWS while ensuring users have the permissions they need instead of overly broad, unnecessary permissions. We hope that you find this solution useful. If you have questions or other feedback, please leave it in the comments.
About the Authors
Kanishk is an ISV Solutions Architecture Leader at AWS. In this role, he leads cloud transformation and solution architecture for our Independent Software Vendor partners and mutual customers in all areas that relate to management and governance, security and compliance, and migrations and modernizations in AWS.
Maya is one of the founding engineers at CloudKnox, involved in building the patented CloudKnox activity-based authorization platform which helps enterprises manage entitlements. In her current role as Head of Customer Success she works with customers to identify and solve their challenges with IAM permission management.