To check access to resources in Amazon Web Services (AWS) Cloud, customers can author AWS Identity and Access Management (IAM) policies. The IAM policy language is expressive, so you can create fine-grained policies that control who can perform what actions on what resources. This control can be used to sweat the principle of least privilege and only give the permits required to perform a task.
But how can you verify that your IAM police meet your security requirements? On AWS’s 2023 Re: Invent Conference we announced the launch of IAM Access Analyzer Custom Policy Checks, which will help you with benchmark against your security standard. Custom political controls abstract the task of converting political statements to mathematical formulas so that customers can enjoy the benefits of automated reasoning without expertise in formal logic.
IAM Access Analyzer API Checkknonewaccess Ensures that you do not inadvertently add permissions to a policy when you update it. With CheckAcessing API, you can specific critical permissions that developers should not give their IAM policies.
We built customized political controls on an internal AWS service called Zelkova, which uses automated reasoning to analyze IAM policies. Premisent we used Zelkova to build preventative and detective controlled controls, such as the Amazon S3 Block Public Access and IAM access to an analyzer audience and across accent finds. Now, with the release of custom political controls, you can set a security standard and prevent police that do not meet this standard from being implemented.
How does Zelkova work?
Zelkova models the semantics of the IAM policy language by translating policies into precise mathematical expressions. It is used automated engines called satisfaction modulotories (SMT) solvers to control the properties of the policies. Satisfaction (SAT) SOLVERS controls whether it is possible to assign true or false values to booolic variables to satisfy a set of restrictions; SMT is a generalization of set to include strict, interest, real nurse or functions. The advantage of using SMT to analyze policies is that it is understanding. In contrast to tools that simulate or evaluate a policy for a given request or small set of requests, Zelkova Canck Properties of A Policy for a all Possible requests.
Consider the following Amazon S3 Bucket Policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
}
]
}
Zelkova translates this policy into the following formula:
(Action = “s3:PutObject”) ∧ (Resource = “arn:aws:s3:::DOC-EXAMPLE-BUCKET”)
In this formula is “∧” the mathematical symbol of “and”. Action and Resource Is variable that reproduces values from any possible request. The formula is only true when a request is allowed by the policy. This exact mathematical representation of a policy is useful because it allows us to answer questions about the policy exhaustively. For example, we can ask if the policy allows public access and we receive the answer it does.
For simple police policies like the previous policy, we could perform manual reviews to decide where they give public access: The The The “Head”: “*” In the Station of Politics, this means that anyone (the public) has access. But manual review may be prone to errors and is not scalable.
Alternatively we could write simple syntactic controls for patterns such as “Head”: “*”. However, these syntactic controls can miss the subtleties of policies and the interaction between different parts of a policy. Consider the following change of the previous policy that adds one Refuse Station with “Notpruncipal”: “123456789012”; The policy still has the pattern “Head”: “*”But it is no expenses give public access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:PutObject"],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
},
{
"Effect": "Deny",
"NotPrincipal": "123456789012",
"Action": "*",
"Resource": "*"
}
]
}
With the mathematical representation of politics semantics in Zelkova, we can answer questions about access privileges exactly.
Answering questions with Zelkova
As an example, let’s consider a relative question. With IAM policies, you can give Cross-Care access to resources you want to share. For sensitive resources, you would like to verify that cross-count access is not possible.
Suppose we would check where the previous policies allow everyone outside my account, 123456789012, to access my S3 bucket. Just as we translated the policy into a mathematical formula we can translate the question we will ask (or property We will check) into a mathematical formula. To check where all allowed access is from my account, we can translate the owner into the following formula:
(Principal = 123456789012)
To show that the owner applies to the police, we can now try to prole who only request with (Main = 123456789012) Is allowed by the policy. A regular trick used in math is to turn the question around. Instead of trying to prove that the property is valid, we can from it do not Hold by finding requests that do not satisfy it – in other words requests that satisfy (Main ≠ 123456789012). To find such a fashion example we look for tasks for the variables Head, action, and Resource How the following is true:
(Action = “s3:PutObject”) ∧ (Resource = “arn:aws:s3:::DOC-EXAMPLE-BUCKET”) ∧ (Principal ≠ 123456789012)
Zelkova translates the policy and the property into the previous mathematical formula, and it effectively searches for fashion examples using SMT -Solvers. For the previous formula, SMT -SOLVER can produce a fashion example that shows that such access is actually allowed by the police (for example, with Principal = 11112223333).
For the previously modified police with Refuse Stays, SMT -SOLVER can also prove that no solution is possible for the resulting formula and that there is no access to the police outside my account, 123456789012:
(Action = “s3:PutObject”) ∧ (Resource = “arn:aws:s3:::DOC-EXAMPLE-BUCKET”) ∧ (Principal = 123456789012) ∧ (Principal ≠ 123456789012)
Tea Refuse Station in the policy with “Notpruncipal”: “123456789012” translated to the restriction (Main = 123456789012). By inspecting the previous formula we can see that it cannot be met: the restrictions on Main From the policy and from the property is contradictory. An SMT solver can then this and more complicated formulas by exhaustively excluding solutions.
Custom political controls
To democratize access to Zelkova, we had to abstract the construction of mathematical formlas behind a more accessible interface. For this purpose, we launched IAM Access Analyzer Custom Policy Checks with two predefined checks: Checkknonewaccess and CheckAcessing.
With CheckknonewaccessCan you confirm that you do not accidentally add permissions to a policy when you update it. Developers often start with more quiet policies and refine them over time trivile. With CheckknonewaccessCan you compare two versions of a police to confirm that the new version is no more allowed than the old version.
Suppose that a developer updates the first example policy in this post to reject cross-count access, but also action:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "123456789012",
"Action": [
"s3:PutObject",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET"
}
]
}
Checkknonewaccess Translates the two versions of the policy into formulas S.Old and S.newRespective. It can be solutions to the formula (Pnew ∧ ¬S.Old) Requests reproduced by the new policy but not allowed by the old policy (“¬” is the mathematical symbol of “not”). Becuse The new policy allows head lines in 123456789012 to perform an action that the old police did not do, the check fails, and a security engineer can review where this policy change is acceptable.
With CheckAcessingSecurity engineers may be prescription with specific critical permits to be checked against political updates. Let’s say we want to make sure developers do not give permissions to delete an important bucket. In our past example, Checkknonewaccess Detained this only because the permit was added with an update. With CheckAcessingThe security engineer can be specific S3: Deletive Bucket As a critical permit. We translate the critical permissions into a formula such as (Action = “S3: Deletebucket”) and search for requests with the action allowed by the police. Because the previous policy allows this action, the control fails and this presence is the permission from being implemented.
With the ability of specific critical permits as parameters to CheckAcessing API, you can now control policies against your standards – and not just for canned, widely applicable controls.
Debugging error
By democratizing political controls with the need for expensive and time -consuming manual reviews, customized political controls help developers to move faster. When policies pass the controls, developers can make updates with confidence. If policies fail the controls, IAM Access Analyzer provides additional information so that the development can troubleshoot and resolve them.
Suppose a developer writes the following identity -based policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstance*",
"ec2:StartInstances",
"ec2:StopInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject*",
"s3:PutObject",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"
}
]
}
Let’s also assume that a security engineer has specific critical permissions that included S3: Deletive Bucket. As described above, CheckAcessing Fail on this policy.
For any given policy, it can sometimes be difficult to understand why a control failed. To give developers more clarity, IAM Access Analyzer Zelkova uses to solve additional problems that clarify the lack of a specific statement in police. For the previous policy, control of the description “New access in the statement with index: 1” failed. This description indicates that the second statement contains a critical permit.
The key to democratization of automated reasoning is to make it easy to use and easy to specific properties. With additional custom checks, we will continue to enable our customers on their day to less privilege.