New Open-Source Tool Tackles Pesky Access Denial Messages in AWS

CSO writes about Ermetic's announcement of the new open-source tool for AWS.

"Administrators befuddled by AWS access-denied messages will welcome a new open-source tool announced Thursday by cloud infrastructure security company Ermetic. The Access Undenied tool analyzes AWS CloudTail AccessDenied events by scanning an environment to identify and explain the reasons for the events and offer actionable, least-privilege remediation suggestions."

Ermetic Research Lead Noam Dahan explains the complexities of AWS access management, saying that it has a fair share of moving parts and policies. Those complications are intensified by error messages that are not clear, although some obscurity is necessary since AWS doesn't want to grant unprivileged actors details on the exact content. A balance is needed between enabling troubleshooting for builders and obscuring information to attackers.

"Access Undenied makes troubleshooting easier for builders. It analyzes AWS “access denied” events and offers actionable remediation steps to facilitate access. A user can completely control its permissions and actions, and it does not send data to anyone. It can be used from the command line interface on a local machine on single or batches of events, or even run from a lambda function and have a lambda that receives an event and returns the reason that access was denied."

Dahan hopes that Ermetic's new open-source tool will encourage more use of least-privilege access. "We want people to become interested in least-privilege and facilitating usability in their environments without opening them up excessively," he says.

For the full article click here.