The Quest for Least Privilege
Learn how to scope an IAM Policy down to only the necessary actions.
medium
To access material, start machines and answer questions login.
One of the most common tasks for anyone working in is to scope Policies to include only the necessary privileges required to complete a task. This is commonly referred to as following the Principle of Least Privilege. In this room, we will take a broadly scoped rule and whittle down access to allow the policy to do three things:
- Audit all Settings
- Launch machines in the Singapore Region
- Access a specific corporate bucket.
We’ll start with the default AdministratorAccess policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}Select the Cloud details button at the top of the room:
Where needed generate the environment required for the room. The "Generate Environment" button will appear if the room contains an environment that needs to be generated.
For any issues with the environment, select the "Reset Environment" button. Review this article for more information.
To view the credentials required for the environment, select the credentials tab. You can use these credentials to access the environment in various ways. More information can be found here:
The requirement is to allow access to and only. To do that, you’ll need to restrict the actions by service. That would look like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitEC2",
"Effect": "Allow",
"Action": ["ec2:*", "XXX:*"],
"Resource": "*"
}
]
}However, we probably want to break this out to support two different resources, so we’ll do that now.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitEC2",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*"
},
{
"Sid": "Permit S3",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*"
}
]
}To make this a read-only audit role, We need to limit the policy to only List/Describe/Get actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitEC2",
"Effect": "Allow",
"Action": [ "ec2:YYY*", "ec2:Get*" ],
"Resource": "*"
},
{
"Sid": "Permit S3",
"Effect": "Allow",
"Action": [ "s3:Get*", "s3:XXX*" ],
"Resource": "*"
}
]
}What is the redacted S3 Action required in place of XXX?
Finally, we’ll limit this policy to a subset of resources using wildcards and prefixes. We start with a new statement to allow all actions on instances in Singapore.
We also need to add two resources to the statement. The first statement refers to all the objects in the bucket and the second to the bucket itself.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitEC2",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"ec2:Get*"
],
"Resource": "*"
},
{
"Sid": "Singapore",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Resource": "arn:aws:ec2:XXXX:*:instance/*"
},
{
"Sid": "Permit S3",
"Effect": "Allow",
"Action": "s3:Get*",
"Resource": [
"arn:aws:s3:::my_corporate_bucket/*",
"arn:aws:s3:::my_corporate_bucket"
]
}
]
}There are two resources needed for the statement. The first applies the :Get* actions to the objects in the bucket, while the second applies to the bucket itself.
Ready to learn Cyber Security?
TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.
Already have an account? Log in