IAM me Privilegj Minimal

Mesatar 15 min Siguria në Cloud

Hyrje

Least privilege in cloud IAM means granting each identity exactly the permissions it needs to do its job — nothing more.

Teoria

In AWS, IAM policies are JSON documents that list allowed actions, resources, and conditions. A developer who only needs to read from one S3 bucket should have a policy that lists s3:GetObject on arn:aws:s3:::that-bucket/* and nothing else. Attaching AmazonS3FullAccess instead gives them read/write on every bucket in the account and turns a stolen API key into a tenant-wide incident. Azure RBAC and GCP IAM have similar concepts and the same principle applies. In practice, least privilege is hard because you rarely know in advance which permissions an application actually needs. The workflow is: start with a narrow policy, observe denials in CloudTrail or equivalent logs, and grant missing permissions one at a time. AWS IAM Access Analyzer, Policy Simulator and GCP Policy Troubleshooter help automate this. Service Control Policies (in AWS Organizations) apply account-wide guardrails that cannot be bypassed even by admins within a member account, letting security teams block whole categories of risky actions. The highest-impact improvement in most environments is removing long-lived access keys in favor of short-lived tokens via OIDC federation (GitHub Actions, CircleCI) or workload identity (GCP, Azure managed identities, AWS IRSA for EKS). A credential that does not exist cannot be stolen; one that expires every hour is a much smaller target.

Mjetet

Mjete:

  • AWS IAM Access Analyzer, IAM Policy Simulator.
  • Prowler, ScoutSuite, CloudSploit.
  • Cloudsplaining — scan IAM policies për risqe.

Praktika

Politikë IAM me privilegj minimal (lexo një S3 specifik):

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": ["s3:GetObject", "s3:ListBucket"],
    "Resource": [
      "arn:aws:s3:::app-assets",
      "arn:aws:s3:::app-assets/*"
    ],
    "Condition": {
      "IpAddress": { "aws:SourceIp": "10.0.0.0/24" }
    }
  }]
}

Skanim:

prowler aws -c check11 -c check33
cloudsplaining scan --input-file account-authorization-details.json

Ushtrime

  1. Shkruaj një policy për një user që vetëm lexon CloudWatch Logs për një log group specifik.
  2. Ekzekuto Prowler në një test account dhe rregullo 3 finding-e HIGH.

Burime

Vlerësimet dhe komentet

Kyçu për të lënë një vlerësim.

Ende pa komente. Bëhu i pari!

Diskutime

Ende pa diskutime. Hap një temë të re