Kata 4: Review which IAM principals can administer or change data resources

This kata shows how to review which AWS IAM principals can administer, change, or delete data resources, then verify they need it using the k9 Principal Access Summary.

Reviewing data resource administration and change capabilities is a critical AWS access improvement step. Data is a precious organizational asset. IAM principals with excess privileges to administer or change data resources creates a latent risk of accident or abuse.

Let’s see who can administer storage resources or change data and verify they need that access.

Open the latest k9 resource access audit spreadsheet from the S3 bucket containing your reports.

Go to the Principal Access Summaries worksheet.

1. Enable filtering for the columns in the worksheet
2. Filter the Service Name to: RDS, the Relational Database Service
3. Filter the ‘Access Capability’ to administer-resource and delete-data

You should now have a list of principals that looks like:

These are the IAM users and roles who can:

• create and administer RDS database clusters, instances, and other resources
• delete data in RDS database clusters

When the Resource ARN column is blank, the IAM principal has the capability to use the service’s API generally. When the Resource ARN column is populated, the IAM principal has the capability to operate on that specific resource.

In the example above, the ci, training, and AccountAdminAccessRole-Sandbox principals have:

1. the ability to administer RDS cluster resources and delete RDS data generally
2. those same abilities to operate on the int-test-pg-01 RDS database cluster

k9 also reports whether principals can read or write data for each supported service (service support matrix). Start by verifying principals have only the expected and necessary access to core data services like RDS, DynamoDB, and S3, then expand to other services.

An IAM principal with AWS service administration or data change capabilities can be abused to execute many kinds of attacks in your AWS account. Reduce risk to data in your AWS account by reducing data administration and change capabilities to only what is necessary.

Review External Access

AWS allows you to use resource policies to allow external access to data resources or IAM roles. That means S3 buckets, encryption keys, and more can be accessible.

This report integrates all external access findings from all the regions where AWS Access Analyzer is deployed.

Navigate to Resource Access Summary, then filter Principal ARN to exclude customer’s account number
We are looking for things like:

• Public S3 bucket access (includes “*”)
• Cross-account access
• Third-party service roles
  Here is an excerpt from the Resource Access Summaries report showing that the k9-backend-prod IAM role in k9 Security’s production account has access to an IAM role and KMS encryption key in the k9 dev account:

Note: If there’s public access to a bucket, it’s almost always wrong. The one condition is if you are serving a website out of it. If this is the case it is best to put CloudFront in front of it as well as a proper policy. k9’s CDK policy generators can be used to accomplish this.

Review Questions

Ask these questions during your review:

Q. Should this principal have this service access capability? In this environment?

Automated delivery processes, operations teams, and security teams usually need an IAM principal with service administration capabilities. Sometimes application teams do too. The need to administer services, especially data services, usually varies by environment.

For example, you may allow application development teams to create and delete a database in a development environment. However, you probably don’t want anyone to be able to delete a production database. You could adjust identity policies to reduce unwanted privileges. You could also implement Service Control Policies that protect specific resources or deny, e.g. delete operations in the account.

Q. When was the last time the principal used the capability?

You can also use AWS Access Analyzer to identify when services and API actions were last used. k9 will integrate that capability into the product soon. We’re happy to help you to accomplish this with what you have right now.

Summary

Once you have completed this kata, you should be able to:

• identify IAM users and roles that can administer data resources or read, write, or delete data in your AWS account
• determine whether that IAM principal should have that level of access
• kick off the process to remove excess privileges with strong evidence

Contact k9 Support ([email protected]) if you have questions, feedback, or would like assistance.