Using Guardrails on AWS for More Effective Security
One of the fundamentals of a good security strategy is broad organizational guardrails that provide baseline protections for sensitive data and infrastructure.
Phil Windley
Amazon Employee
Published Mar 27, 2024
AWS Identity and Access Management (IAM) provides authorization policies that allow you to apply fine-grained access control to all of your AWS resources. But anyone with more than a few policies knows that understanding what your policies allow--and what they don't--can be difficult.
AWS provides a few tools that can help with that. The first, Amazon S3 Block Public Access automatically puts guardrails around your S3 buckets to protect them from unintended access. When you first read about it, you might think that it's a simple checker that makes sure none of your S3 policies have a
principal of * (allowing anyone to take action on the bucket). But it's not that simple-minded. In fact, S3 Block Public Access does a sophisticated analysis of your policies using automated reasoning. This analysis looks at all your policies and determines how all your allow statements and deny statements interact to infer what you trust (like specific accounts or organizations). Then it looks for any potential access outside that trusted group and blocks it. This is how public is defined for S3. You can dive deep on how this works in Andrew Gacek's article Understanding S3 Block Public Access. S3 Block Public Access is turned on by default for any S3 bucket created after April 27, 2023. If you've got older buckets you should consider enabling it on them to ensure your S3 buckets are not being shared with entities you don't trust.
The second tool I want to highlight is AWS Identity and Access Management (IAM) Access Analyzer. IAM Access Analyzer is another automated-reasoning-powered tool helps you stay on top of your security game by guiding you toward least privilege with five important capabilities:
- IAM Access Analyzer external access analyzers help identify resources in your organization and accounts that are shared with an external entity.
- IAM Access Analyzer unused access analyzers help identify unused access in your organization and accounts.
- IAM Access Analyzer validates IAM policies against policy grammar and AWS best practices.
- IAM Access Analyzer custom policy checks help validate IAM policies against your specified security standards.
- IAM Access Analyzer generates IAM policies based on access activity in your AWS CloudTrail logs.
These capabilities are available as APIs and can be integrated with your CI/CD pipeline to "shift security left" and discover problems with your policies earlier in development. For example, in Introducing IAM Access Analyzer custom policy checks Mitch Beaumont and Matt Luttrell show in detail how to use custom policy checks in a piepline to prevent the introduction of policies that are more permissive than an organization reference policy. A reference policy allows the security team to put up guardrails that keep code deployments secure without slowing down the pace of development.
Good security requires guardrails that guide practitioners to better solutions without getting in the way. S3 Block Public Access and IAM Access Analyzer are two powerful mechanisms you can use now to make your AWS resources more secure.
Any opinions in this post are those of the individual author and may not reflect the opinions of AWS.