/sensitive_iam_actions

Crowdsourced list of sensitive IAM Actions

Primary LanguagePythonCreative Commons Zero v1.0 UniversalCC0-1.0

Sensitive IAM Actions

Crowdsourced list of sensitive IAM Actions

What is this?

There exists no definitive list of Sensitive IAM Actions that can lead to credential or data access, privilege escalation, or making resources public. Several tools have tried to take an opinion on this issue, but there is no centralized list of these sensitive IAM Actions that tools and IAM policy writers can reference.

This repo contains a list of IAM Actions that fall into one of four risk categories:

  • Credential Exposure
  • Data Access
  • Privilege Escalation
  • Resource Exposure

That list is then parsed into these files:

  • A list of actions annotated with SAR information in JSON and YAML.
  • JSON Policy documents you can attach to your users and roles to Deny actions in specific risk categories.

The addition of an action to these lists can be subjective. Is a pull request in a CodeCommit repo sensitive? What about the comments in an AWS Support case? It depends on what the person puts in. Others can be more obvious, like the list of users in a Cognito user pool, data in a DynamoDB table, or access to the data in an ElasticSearch cluster.

Generating your own policies

The script policy-generation.py allows you to customize your policies to an extent. If there are specific actions you want to exclude from the explicit deny, you can specify them using --exclude-actions. If there are a handful of resource ARNs that you need to access, say a specific S3 Bucket, you can use the --exclude-resources flag, and they will be added to the policy using a NotResource field.

First, install the script's dependencies. A Python venv is an easy way:

python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt

Then you can run the script:

usage: policy-generation.py [-h] [--debug] --risk {PrivEsc,ResourceExposure,CredentialExposure,DataAccess,ALL}
                            [--exclude-resources EXCLUDE_RESOURCES [EXCLUDE_RESOURCES ...]]
                            [--exclude-actions EXCLUDE_ACTIONS [EXCLUDE_ACTIONS ...]] [--action-file ACTION_FILE]
                            --policy-file POLICY_FILE

optional arguments:
  -h, --help            show this help message and exit
  --debug               print debugging info
  --risk {PrivEsc,ResourceExposure,CredentialExposure,DataAccess,ALL}
                        Risk Categories to generate a policy for
  --exclude-resources EXCLUDE_RESOURCES [EXCLUDE_RESOURCES ...]
                        Which Resources to exclude (via NotResource)
  --exclude-actions EXCLUDE_ACTIONS [EXCLUDE_ACTIONS ...]
                        Which Actions will not be included in the Deny statement
  --action-file ACTION_FILE
                        Action Database to use
  --policy-file POLICY_FILE
                        Filename for generated policy

How to Contribute

Adding a new sensitive action is as simple as updating the actions.yaml file with the new sensitive action. A GitHub action will run to update the annotated files and the JSON policies.

Future Work

While the data access actions are generally comprehensive, they may not work for all use cases. A FinOps user might not need to run cloudtrail:LookupEvents or lambda:GetFunction and access source code. A security auditor or incident response person would need those permissions. Breaking down the data access into sub-categories like source code, possible PII, etc., may need to be considered.

Prior Art

Several experts in the cloud security community have built tooling to wrangle the complexity of AWS IAM and to parse AWS's Service Authorization Reference. This repo is based on the work from:

Related Tools

Blog Posts & Articles