amiracle/grand_central

Broad Permissions

Closed this issue · 4 comments

nathan-bonner commented

Good day,

The permissions policy seems quite broad for this to function. For instance s3:DeleteBucket for Resource": "*" does not seem necessary. Have the permissions been scoped to least privilege for the integration to function?

This method for gathering AWS data for Splunk looks very promising but the scope of the permissions make me a bit uneasy.

Thanks

amiracle commented

I will be working with the team to make these permissions more specific to the resources that Grand Central uses.

  • 👍3
irvine-j commented

It's that "Resource": "*" that's the killer. I'm reasonably fine with things controlling their own assets as long as those are reasonably constrained, but when you give carte blanche for some of these, it gets thoroughly dangerous. There's quite a bit here that can be an issue for exfiltration of data or security configuration, but that's the nature of any reporting platform.

Off-hand, the particularly problematic ones on scope are:

  • cloudwatch:PutMetricData
  • config:DeliverConfigSnapshot
  • events:PutEvents
  • events:PutRule
  • events:PutTargets
  • firehose:DeleteDeliveryStream
  • iam:AttachRolePolicy
  • iam:CreateRole
  • iam:CreateUser
  • iam:DeleteRole
  • iam:DeleteRolePolicy
  • iam:DeleteUser
  • iam:DetachRolePolicy
  • iam:PassRole
  • iam:PutRolePolicy
  • kms:Decrypt
  • lambda:DeleteFunction
  • lambda:RemovePermission
  • logs:DeleteSubscriptionFilter
  • logs:PutSubscriptionFilter
  • s3:DeleteBucket
  • s3:GetObject
  • s3:PutBucketVersioning
  • sns:Publish
  • sqs:DeleteMessage
  • sqs:ReceiveMessage
  • sqs:SendMessage
  • sts:AssumeRole

s3:GetObject is a bit different here than the rest, but since it gives that user the ability to literally see anything that's been put in an S3 bucket in the account, I thought it was worth calling out in the list.

  • 👍2
amiracle commented

I just went in and fix the permissions so that the resource "*" is now just limited to less impactful services. The new copy of the IAM policy is available on the Readme.md . The catch is that you will need to insert 'grandcentral' as a prefix for the Deployment Name in the UI.

This can be modified for your own use case, but for consistency I've added it to the policy. I tested it with a Cloudwatch log group, Config and Cloudtrail.

amiracle commented

Closing the issue, if there are any additional issues with this policy, please open a new issue and we will look into it.