Defaults can be lax and understanding new technologies come in stages. With this, some open roles/policies may be created or used within IAM. Whilst this may be ok for initial testing, it should not be the case for production.
IAM policies and roles can get complicated and certain custom solutions are hard to secure when you weren’t involved in the development. What they touch and use can always be discovered by using firewall, network, application, and trail logs however this can be a faff.
This is where access Advisor comes in. If you’re running AWS, you can use this service to reduce access within your policies without having to guess.
Access Advisor uses the user, group, or roles activity and provides insight into what permissions they are actually using. Rather than just show you what it is, it will also show you what it isn’t. This can help give a bit more confidence when removing access.
With this information, you can better understand how the object is using the policy. Although Access analyzer, does have its own pane, from my experience, it’s better to target those you feel need work and drill down there. For example, go to a role and click on the Access Advisor tab. Then you can start to edit the current, or create a new policy based on the findings.
Whilst you may want to start to move away in stages (Targeting resources, or Actions, you do have the option to drill down into some. For example, this is me drilling down into S3 Actions.
Here I can see a bunch of Actions it doesn’t need therefore I can filter what it does and edit the policy (removing * or the actions listed above).
If you are looking to edit those policies, it might be worth using this reference: AWS Doc…
There are a lot of Actions out the reference sheets to help admins understand what’s what.
If you enjoyed reading my content and want to support, why not consider signing up and becoming a member. It’s $5 a month, for unlimited access to all stories on Medium. Join now! 🙂
You could also clap, should this provide some help!
Regardless, thanks for reading and take care! 🙂
Leave a Reply