Excessive use of overly permissive and broad AWS IAM policies is one of the most common vulnerabilities found in a lot of company's AWS architecture. Does this look familiar?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": "*"
}
]
}In this policy above, we're giving an IAM entity the ability to get the value of every single secret in your organization. How to protect from this? Besides auditing and reviewing all the policies created, there is another – using Resource policies.
Denying by default using resource policies
Resource-based policies are attached to a resource. For example, you can attach resource-based policies to Amazon S3 buckets, Amazon SQS queues, VPC endpoints, and AWS Key Management Service encryption keys. With resource-based policies, you can specify who has access to the resource and what actions they can perform on it.
One trick to prevent overly permissive policies from accessing resources is with explicit deny statements. For example, by adding the following resource policy to a secret, by default we prevent all IAM entities from getting its value unless we explicitly allow it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "*"},
"Resource": "*"
}
]
}In order to give permission to a particular IAM entity, we now need to add them explicity – In this example, we give the iam role arn:aws:iam::123456789012:role/ProductTeam , and this role only, the ability to request GetSecretValue.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "*"},
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "arn:aws:iam::123456789012:role/ProductTeam"},
"Resource": "*"
}
]
}Additional links
