Automated IAM Access Analyzer Role Policy Generator is a sample implementation of a periodical monitoring of an AWS IAM Role in order to achieve a continuous permission refinement of that role. The goal of the solution is to present an operational, continuous least-privilege approach for a particular role in order to provide for security proliferation in an ongoing manner.
The target architecture of the of the implementation is presented in the diagram below. Having an example IAM Role Learning that is to be periodically scanned, the implemented solution creates a CodeCommit entry with the result being the output of the IAM Access Analyzer's policy generation. Then the administrators of the account in which the solution works can create an updated IAM Role Operations that has the permissions defined in the output.
Automated IAM Access Analyzer Role Policy Generator relies on the AWS CloudTrail, AWS IAM Access Analyzer for policy generation, and AWS Step Functions for orchestrating the overall process.
The solution includes two implementations of the same functionality:
- an implementation using AWS CDK that can be deployed as a CloudFormation stack
- an implementation using CDK for Terraform that can be deployed as Terraform IaC
These stack creation implementations rely on the worker lambdas:
initialize-repository
- a lambda for setting up a repository with a preliminaryallow.json
anddeny.json
files (residing inrepo/
directory)provide-context
- a helper lambda providing lookup window for the
- Use NodeJS 14 or above
- Install lerna globally (npm i -g lerna)
- In the root directory of the solution run
npm install && npm run bootstrap
- Test & build the Lambda code
npm run test:code
npm run build:code
npm run pack:code
- Build the constructs
npm run build:infra
In order to successfully deploy the solution with either of the paths one needs to prepare:
- The ARN of the IAM Role to be monitored
- The ARN of the AWS CloudTrail trail that keeps the track of the AWS API usage for the IAM Role
- A CRON schedule at which the solution is to perform the analysis
- A number of days to look back in the AWS CloudTrail trail when analysing the AWS API calls for the selected IAM Role.
- The prerequisits from the previous section
- An active AWS account
- AWS CLI installed and configured for the AWS account
- AWS CDK installed
- optionally synthesize the CloudFormation template
lerna exec cdk synth --scope @aiaa/cfn
- go to the directory with the infrastructure defined with the AWS CDK
cd infra/cdk
- deploy the AWS CDK stack
cdk deploy --parameters roleArn=<selected_role_arn> \
--parameters trailArn=<trail_arn> \
--parameters schedule=<schedule_expression> \
[--parameters trailLookBack=<trail_look_back> ]
The rectangular brackets denote optional parameters. Mind that this allows for using all available AWS CDK flags (e.g. to specify the non-default region for deployment)
- After a successful deployment go to the AWS Account in the region and verify if the CloudFormation stack is successfully deployed.
- The prerequisits from the previous section
- An active AWS account
- AWS CLI installed and configured for the AWS account
- Terraform CLI installed
- CDKTF CLI installed
- optionally synthesize the Terraform template
lerna exec cdktf synth --scope @aiaa/tfm
-
Make a note of the AWS Account ID (it will be used as a Terraform parameter later)
-
Go to the directory with the infrastructure defined with the CDK for Terraform
cd infra/cdktf
- Deploy the CDK for Terraform definition
TF_VAR_accountId=<accountId> \
TF_VAR_region=<region> \
TF_VAR_roleArns=<selected_role_arn> \
TF_VAR_trailArn=<trail_arn> \
TF_VAR_schedule=<schedule_expression> \
[ TF_VAR_trailLookBack=<trail_look_back> ] \
cdktf deploy
- After a successful deployment go to the AWS Account in the region and verify that the CDK for Terraform template defined resources are present.