AWS Security – Improving Access Management

One of the most common questions asked during the discussion with customers is, how can I put effective security controls without too much overhead. In this blog post, We highlight three advanced techniques announced in the recent past by AWS to strengthen access control. These are: Controlling access permissions to AWS resources using tags, Delegation of roles using permission boundary and using AWS session manager to access ec2 instances.

How To Improve Access Management On AWS?

Tag Based Access Control

This is a new feature that helps simplify permissions management. It allows to control access to AWS resources and is achieved by leveraging conditions in IAM policies based on specific tags or tag values.

Note: Tag-based resource level IAM permissions are supported for specific services only.

The way this works is, you tag IAM principals (users and roles) and then also tag existing resources and/or new resources being created. You then write general permission rules that are based on these tags. This provides fine-grain resource access without having to update policies every time you create something new.

Consider the examples below:

• When a user creates resources, enforce specific tags (like ‘cost-center’, ‘environment’, ‘app-id’) are created for the resources. For example, while attaching a volume to an ec2 instance, the policy will enforce volume has a mandatory compliance tag. If not, the user won’t be able to attach the volume to ec2. [Effect: Allow; Action: attachVolume; Resource: ec2-instance; Condition: ResourceTag/env:dev]
• Control which developer can tag what resources E.g. allow to tag everything in appId=A but don’t allow anything if appId=B.
• Control resources users can manage based on tags. For example, allow to start/stop ec2 instances only to the user whose name is in value of Owner tag. [Effect: Allow; Action: ec2:StartInstances, ec2:StopInstances; Resource: ec2-instance; Condition: ResourceTag/Owner= ${aws:username}]

Delegation Of Roles Using Permission Boundary

Permission boundaries allow the administrator to delegate permissions to developers safely by defining max permissions developer can apply. This is quite useful in organizations where DevOps teams work with a centralized admin team and they need to move fast without waiting for centralized admin approval for every single permission change. Here is how this works:

• An administrator defines max permissions called permission boundary
• The developer creates a role with permission boundary attached
• Developer assigns specific permissions to the newly created role
• Effective permissions are the intersection of permission boundary created by admin and permissions policy created by the developer

Here is step by step example process with simplified pseudo-code:

• The administrator creates a policy (myPB) for permissions boundary which grants limited dynamodb permissions in us-east1 region.

[Effect: Allow; Action: dynamoDb:putItem, dynamodb:updateItem; Resource: *; Condition: region=us-east-1]

• The administrator creates a policy to allow the employee to create IAM roles only with permission boundary attached and role name should start with prefix: pbAppRole.

[Effect: Allow; Action: iam:createRole, iam:attachRolePolicy; Resource: <aws-account-number>:role/pbAppRole*; Condition: iam:PermissionBoundary=<aws-account-number>:policy/myPB]

• The administrator creates a policy to allow employees to pass the role

[Effect: Allow; Action: iam:passRole; Resource: <aws-account-number>:role/pbApp*]

• Developer create a role with permission boundary attached and grants permission

[Effect: Allow; Action: dynamodb:*; Resource: <aws-account-number>:table/pbTable]

In the above example, even though the developer is granted full dynamodb access, effective permissions will be restricted to his table in us-east1 region only.

Accessing EC2 Instances Using Session Manager

While best practices recommend avoiding direct access to cloud resources and push for automation as much as possible; in the real world, many of the customers still need ssh access to their instances while they are transitioning to new ways of doing things.

Below are two commonly used patterns to restrict ssh access to ec2:

• Using white-listed IPs: IP white-listing becomes cumbersome to manage as the user base increases
• Using bastion host aka jump server. Some key points to note while configuring Bastion host:
  • To access ec2 instances using SSH requires private keys. But you should never store private keys on the bastion. Instead, use SSH Agent Forwarding to connect first to bastion host and then to other instances on a private subnet.
  • Configure security groups for bastion host to allow ssh access to bastion host only from trusted hosts / corporate network / white-listed IP
  • Configure security groups for the EC2 instance to allow ssh access only from the bastion host

While bastion host does help isolate access and resources, it comes with additional overhead. It needs to be managed, patched and has a cost associated with it.

Another major issue with SSH is that SSH activity is not logged natively i.e. no audit trail.

AWS last year announced a new service: AWS Session Manager to address these problems. AWS session manager is a browser-based interactive shell and a command-line interface to manage Windows and Linux instances.

AWS Session Manager Features

• Session Manager communicates with instances via SSM Agent. (requires SSM agent version 2.3.12 or above)
• No SSH keys required since security controls are implemented through IAM – roles, policies.
• Audit Trail through CloudTrail, Command, and Responses logging through CloudWatch, SNS notification can be configured when a new session is initiated.
• Provides a platform for automation when combined with Lambda.

Although AWS provides several security capabilities and services to increase privacy and safety, the above-mentioned techniques can assist in strengthening access management in AWS. However, these techniques need to be configured based on the security requirements of the organization.

As one of the leading AWS consulting companies, we offer end-to-end AWS Consulting Services.  Connect with our AWS experts to get all inclusive Amazon Web & Cloud Services.