Prebuilt IAM policies, and least privilege in AWS

Concerns that arise with the use of AWS prebuilt IAM policies & least privilege

Table Of Contents

Today I Explained

You may find repositories for which the test pipeline failed when you had recently made a modification to an IAM Policy or Role, which saw the addition of an IAM policy. Specifically, the managed access policies which don’t grant least privilege, but assist with covering common use cases. These errors sometimes look like:

IAM roles should not leverage managed access policies.

... (link to offending line here)

The reason this has failed your test pipeline has to do with idea of least privilege, and that these managed access policies very explicitly don’t aim to provide least privilege. The most notable example of this is ReadOnlyAccess, which allows for actions that could result in reading production data from AWS S3 buckets.

To avoid this, test pipelines can scan Terraform (or other infrastructure as code options) to fail deployments when usages of these managed policies are detected within the code. Although these policies are perfectly fine for prototyping, for services in active development they present a genuine concern.

One of the less touched upon concerns with these policies, is that they obscure the data flow model of the service. A service that rountinely queries a specific S3 bucket for objects to ingest, is through its permissions capable of ingesting objects from any of the S3 buckets.

In practice, you are most likely to make use of customer managed policies, which are made available by common infrastructure. These policies will be scoped to a specific use-case, following the practices of least privilege.

As an example, you might have an enrollment secret contained within an AWS SecretsManager resource, which you wish to grant access to for any EC2 within the organization. These would be able to at startup, retrieve the secret & use it to register with another service.

The customer managed policy avoids the need to re-deploy in the case of a library method for the policy, and allows for the IAM policy to evolve over time.

  ┌────────────────┐
  │ secretsmanager │
  └────────────────┘
        ▲   ▲         ##IAM Policy
##      │   │  ##
┌─────┐ │   │ ┌─────┐
│ EC2 ├─┘   └─┤ EC2 │
└─────┘       └─────┘
         ───
         get