Reduce IAM Exposure With AWS Access Advisor!

Defaults can be lax and understanding new technologies come in stages. With this, some open roles/policies may be created or used within IAM. Whilst this may be ok for initial testing, it should not be the case for production.

IAM policies and roles can get complicated and certain custom solutions are hard to secure when you weren’t involved in the development. What they touch and use can always be discovered by using firewall, network, application, and trail logs however this can be a faff.

This is where access Advisor comes in. If you’re running AWS, you can use this service to reduce access within your policies without having to guess.

Access Advisor uses the user, group, or roles activity and provides insight into what permissions they are actually using. Rather than just show you what it is, it will also show you what it isn’t. This can help give a bit more confidence when removing access.

With this information, you can better understand how the object is using the policy. Although Access analyzer, does have its own pane, from my experience, it’s better to target those you feel need work and drill down there. For example, go to a role and click on the Access Advisor tab. Then you can start to edit the current, or create a new policy based on the findings.

Whilst you may want to start to move away in stages (Targeting resources, or Actions, you do have the option to drill down into some. For example, this is me drilling down into S3 Actions.

Here I can see a bunch of Actions it doesn’t need therefore I can filter what it does and edit the policy (removing * or the actions listed above).

If you are looking to edit those policies, it might be worth using this reference: AWS Doc…

There are a lot of Actions out the reference sheets to help admins understand what’s what.

If you enjoyed reading my content and want to support, why not consider signing up and becoming a member. It’s $5 a month, for unlimited access to all stories on Medium. Join now! 🙂

You could also clap, should this provide some help!

Regardless, thanks for reading and take care! 🙂

Advertisement

Securethelogs

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

%d bloggers like this: