AWS’s Access Analyzer Preview Access is Great — But Is It Enough?
Learn the ins and outs of the preview access capability in Access Analyzer.
In case you missed it, last week Amazon announced a preview access capability in Access Analyzer for predicting external access to resources before applying a resource based policy.
If you read our previous post on managing access to sensitive strings and KMS keys, you know that Access Analyzer is an AWS tool that detects external access granted to resources of supported types, such as S3 buckets, IAM Roles and KMS keys. Until now, Access Analyzer was effective only after applying a policy. The new preview access enhancement uses automated reasoning to let you see what external access a resource based policy allows -- such as a bucket policy on an S3 bucket -- prior to applying it.
As advocates of least privilege, we recommend that every organization do its best to minimize exposure of resources by granting the least access needed to perform any given business function. Minimum privilege is probably most relevant for entities outside your AWS account. We therefore believe that Access Analyzer is a tool that every security practitioner using AWS will want to be familiar with. We also believe that the new preview capability is an excellent enhancement that shows Amazon’s commitment to helping its clients secure access to their sensitive resources.
Yet, while a step forward, AWS’s update further reminds us of what native AWS security instruments are missing: granular and continuous insight into the access permissions -- current and recommended -- for all entities.
For example, AWS Access Analyzer can help you pick up on unintended access to a resource granted to an external entity by reporting all access instances and letting you archive any that are intended and respond to any that aren’t. But what if the intended access you provided in the past has gone unused for some time? The access may no longer be needed -- if so, it should be removed. Access Analyzer is not able to detect this. And if the permission you grant an external entity is over privileged -- that is, only partially used? Providing a permissions set in its entirety increases your organization’s cloud attack surface for no good reason. Access Analyzer gives some visibility into existing external access but does not offer any insight into if the permissions are excessive and how to remediate the risk if so.
Another AWS tool, Access Advisor, analyzes usage of access permissions to services by IAM objects such as users, groups, roles and policies. So, theoretically, Access Advisor can give insight or otherwise assist in the matter of over privileged permissions -- however, it does not support resource based policies. Also, as noted, Access Advisor reviews access at the service level. As a result, it is not able to detect excessive permissions at the action level (e.g, an entity that only uses s3:GetObject but also has permission for s3:DeleteObject) or resource specific level (e.g., an entity that uses only one bucket but has access to all of them).
Fortunately, this lack of granular visibility and insight in AWS, which poses potential risks to security, can be resolved using visualization and automated analysis by platforms such as Ermetic. By constantly reviewing permissions and activity logs, Ermetic determines and displays with visual granularity which entities -- internal and external -- have permissions that are excessive, and proposes remediation steps. Such analysis tools are invaluable in protecting your cloud infrastructure by minimizing the blast radius of a potential breach and/or addressing compliance requirements.
For example, the screenshot below illustrates how Ermetic helps you see excessive permissions granted to entities from external accounts (notice the “Cross Account” filter) on an S3 bucket. Ermetic does this at a granular, contextual level, showing which permissions are excessive because they are not used (red arrows) -- including specific actions that are allowed but have not been used and specific buckets that are accessible but have not been accessed.
If you’d like to find out more about how Ermetic can help you reduce the attack surface on your cloud resources, contact us for a demo.