Crowdsourced list of sensitive IAM Actions
There exists no definitive list of Sensitive IAM Actions that can lead to credential or data access, privilege escalation, or making resources public. Several tools have tried to take an opinion on this issue, but there is no centralized list of these sensitive IAM Actions that tools and IAM policy writers can reference.
This repo contains a list of IAM Actions that fall into one of four risk categories:
- Credential Exposure
- Data Access
- Privilege Escalation
- Resource Exposure
That list is then parsed into these files:
- A list of actions annotated with SAR information in JSON and YAML.
- JSON Policy documents you can attach to your users and roles to Deny actions in specific risk categories.
The addition of an action to these lists can be subjective. Is a pull request in a CodeCommit repo sensitive? What about the comments in an AWS Support case? It depends on what the person puts in. Others can be more obvious, like the list of users in a Cognito user pool, data in a DynamoDB table, or access to the data in an ElasticSearch cluster.
The script policy-generation.py allows you to customize your policies to an extent. If there are specific actions you want to exclude from the explicit deny, you can specify them using --exclude-actions
. If there are a handful of resource ARNs that you need to access, say a specific S3 Bucket, you can use the --exclude-resources
flag, and they will be added to the policy using a NotResource
field.
usage: policy-generation.py [-h] [--debug] --risk {PrivEsc,ResourceExposure,CredentialExposure,DataAccess,ALL}
[--exclude-resources EXCLUDE_RESOURCES [EXCLUDE_RESOURCES ...]]
[--exclude-actions EXCLUDE_ACTIONS [EXCLUDE_ACTIONS ...]] [--action-file ACTION_FILE]
--policy-file POLICY_FILE
optional arguments:
-h, --help show this help message and exit
--debug print debugging info
--risk {PrivEsc,ResourceExposure,CredentialExposure,DataAccess,ALL}
Risk Categories to generate a policy for
--exclude-resources EXCLUDE_RESOURCES [EXCLUDE_RESOURCES ...]
Which Resources to exclude (via NotResource)
--exclude-actions EXCLUDE_ACTIONS [EXCLUDE_ACTIONS ...]
Which Actions will not be included in the Deny statement
--action-file ACTION_FILE
Action Database to use
--policy-file POLICY_FILE
Filename for generated policy
Adding a new sensitive action is as simple as updating the actions.yaml file with the new sensitive action. A GitHub action will run to update the annotated files and the JSON policies.
While the data access actions are generally comprehensive, they may not work for all use cases. A FinOps user might not need to run cloudtrail:LookupEvents or lambda:GetFunction and access source code. A security auditor or incident response person would need those permissions. Breaking down the data access into sub-categories like source code, possible PII, etc., may need to be considered.
Several experts in the cloud security community have built tooling to wrangle the complexity of AWS IAM and to parse AWS's Service Authorization Reference. This repo is based on the work from:
- Parliament is an AWS IAM linting library from Scott Piper and Duo Labs.
- Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege from Kinnaird McQuade and Salesforce.
- Permissions.cloud uses a variety of information gathered within the IAM Dataset and exposes that information in a clean, easy-to-read format. From Ian Mckay.
- IAM Dataset also from Ian Mckay.
- This repo leverages the iam_definitions.json file to annotate the actions.
- The initial list of sensitive actions was sourced from add_managed_policies.py which was sourced from Cloudsplaining.
- Monitor AWS Managed IAM Policies from Victor GRENU.
- AWS Service Authorization scrape from Brian Crowell is a JSON-formatted version of the AWS Service Authorization Reference packaged for use in Node.js and for querying directly from raw GitHub.
- AWS API calls that return credentials - Kinnaird McQuade
- Resource Exposure Actions - Kinnaird McQuade
- Unwanted Permissions that may impact security when using the ReadOnlyAccess policy in AWS - Rodrigo Montoro
- IAM Dataset's list of PrivEsc, Resource Exposure, and Credential Exposure Actions - Ian Mckay
- Sensitive AWS API Calls That Return Credentials and Data - Kinnaird McQuade