awslabs/aws-automated-incident-response-and-forensics

AmazonS3ReadOnlyAccess should not be attached to compromised instances

benbridts opened this issue · 1 comments

The AmazonS3ReadOnlyAccess policy is

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*",
                "s3-object-lambda:Get*",
                "s3-object-lambda:List*"
            ],
            "Resource": "*"
        }
    ]
}

so attaching this to an instances would allow an attacker to:

  • list all the buckets in an account, including their properties (and possibly find misconfigured buckets)
  • list all the objects in those buckets, including their metadata and older versions
  • download (or copy to an attacker-controlled bucket) all objects that are not encrypted with a customer-managed CMK.

I would expect a security tool to have exactly the right Actions and Resources to only execute the actions it needs.

Thanks Ben! This is an issue in the docs rather than the code, if you look at the 6-member-IR-automation.yaml you will see that we actually only attach the SSM Managed Instance policy and not the S3 role:

  IAMIRRole:
      Type: "AWS::IAM::Role"
      Properties:
        RoleName: 'IAMIRRole'
        AssumeRolePolicyDocument:
          Statement:
              - Effect: "Allow"
                Principal:
                  Service:
                    - "ec2.amazonaws.com"
                Action:
                  - "sts:AssumeRole"
        Path: "/"
        ManagedPolicyArns:
           - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"

This was a remnant from an earlier iteration, but it seems I forgot to remove this from the documentation.