AWS LPA Usage

IAM License

With InsightCloudSec version 22.10.5, the following features no longer require the IAM license:

To use these features, Self-hosted customers will need to add at least one AWS EC2 P3 worker to their InsightCloudSec environment (see Access Explorer - Setup for more information). Workers are automatically managed for SaaS customers, so these features will be available after you upgrade to version 22.10.5. In a future release (November 2022), this requirement will be removed and these features will rely on an existing worker pool.

After AWS LPA is successfully configured, you should be able to access the Principal Activity (LPA) functionality in two ways:

  1. From the Inventory > Resources page on your InsightCloudSec platform
    • Navigate to the Identity & Management tab. The principal activity view can only be accessed on the Cloud User and Cloud Role resources.
    • Once you've selected the desired resource, click the vertical three dots to open the context menu, then click Principal Activity. This opens a side pane listing all of the actions taken by the selected user or role.
  2. From the Access Explorer > Principals through the context menu Principal Activity option

Principal Activity Details

The Principal Activity pane contains permissions (or Policy Actions) that have been used within the selected time frame (7, 30, 60, or 90 days) as well as remediation support. This will provide useful information to support remediation of risk but should be used in conjunction with additional context of the Principal being assessed.

  • Permissions
    • Use the search field to narrow the scope of used permissions
    • Adjust the timeframe of the evaluation using the drop-down
    • Click the Download icon to download the Detailed Permission Usage (JSON) file
    • Click Policy Stack to open this resource in the Principal Explorer
  • Remediation
    • Click + to expand the available policies
      • Adjust the timeframe of the evaluation using the drop-down
      • Click Download to download the Access Remediation Policy file
        • The Access Remediation Policy cannot be downloaded or viewed for the service-linked-role Principal type (Cloud Role)
    • If you have the appropriate permissions, click Apply Remediation to apply the desired remediation policy.

Considerations Before Editing

Prior to making changes to a policy based on this information we recommend the following:

  • Have the information assessed by a qualified reviewer with knowledge of your specific infrastructure and implementation to avoid unwanted impacts (e.g. loss of required permission)
  • Ensure that you have an existing process to revert or remediate issues prior to making changes

Detailed Permission Usage (JSON)

The Detailed Permission Usage JSON file includes the following information for the given principal:

  • The action name
  • The count or number of times an action was invoked (if at all)
  • The last executed date for the action
  • The name of the AWS permission the action maps to
  • The status of the permission (used, unused, or un-assessed)

This information provided by InsightCloudSec on used, unused, or un-assessed permissions for a given Principal are based on the information available from the relevant Cloud Service Provider (CSP) and the data is accurate based on usage data. The data can be used by a customer to determine which permissions to keep or remove from their policy stack. Used, unused, and un-assessed permissions in the context of this feature and InsightCloudSec are described below.

If you want to programmatically collect this information, review the List Principal Activity and List Principal Permissions endpoints.

Used Permissions

Used Permissions are based on API actions which we have visibility of through the configured data collection (see the AWS LPA Setup documentation).

We map API Actions (as logged through CloudTrail) for User Activity. Due to how AWS has developed this, there isn’t a 1-to-1 mapping of API Action to a Permission (or Policy Action). We provide a mapping of this and return a list of Used Permissions. An example of this is:

API ActionPermission (Policy Action)
Budgets.CreateBudgetbudgets:ModifyBudget
Budgets.CreateNotificationbudgets:ModifyBudget
Budgets.CreateSubscriberbudgets:ModifyBudget
Budgets.DeleteBudgetbudgets:ModifyBudget
Budgets.DeleteNotificationbudgets:ModifyBudget
Budgets.DeleteSubscriberbudgets:ModifyBudget

Unused Permissions

We based our calculation of Unused Permissions based on a Principal's permission set (using a portion of Effective Access but without consideration of resource policies at present). From this, we subtract Used and Un-assessed Permissions, with the resulting list being a set of Permissions which are determined to have been unused in the given timeframe.

As we require a calculation of Effective Access, the Unused Permissions requires the IAM License to be enabled, and currently only supports AWS. Without the license, we will only return a list of Used and Un-assessed Permissions for a given Principal.

Un-assessed Permissions

When a Permission appears in a Principal's effective access but we are unable to assess it, we will highlight this as an Un-assessed Permission to ensure it’s not confused with an unused permission.

For some services which do log the User Activity, for example to CloudTrail in AWS, there may be other issues in determining usage which is considered. For example, for S3 in AWS, logging can be enabled/disabled at a bucket level. In this scenario, a Principal may be using the Permissions granted but on a S3 bucket that has logging disabled. For this situation if we identify user activity for S3, we will consider it as a Used Permission, but if we don’t identify user activity, we will consider it as an Un-assessed Permission. We are currently exploring options to allow consideration of Unused Permissions.

Service Limitation

There are certain AWS services that InsightCloudSec cannot assess usage for. This may be due to the service not logging via the relevant method (e.g., CloudTrail for AWS), and this is a limitation. We are currently exploring options on how to support these services with alternative approaches.

Access Remediation Policy

The Access Remediation Policy download is a JSON file that will assist in remediating the unused and/or un-assessed permissions for a given principal. InsightCloudSec currently offers two policies:

  • Deny Not Action -- This policy will deny ALL permissions, except for those outlined in the NotAction element. Within this element, InsightCloudSec lists all Used and Un-assessed Permissions. If applied, the Principal would continue to have permissions to execute actions for those which they have used in that time period and also those which we have marked as un-assessed. We include the un-assessed permissions, as we have no assessment if they are used or not and do not want to revoke access to potentially used permissions.
  • Deny All -- This policy will deny all permissions regardless of usage. If applied, the Principal would no longer be able to perform any actions.

For example, you have identified that a given Principal has overly-permissive access based on the analysis done of their historical activity within InsightCloudSec. Based on this activity (along with the user’s business context of the role and associated permissions), you may want to take action to remediate this potential risk and remove access to Unused Permissions. Because the download is a fully qualified policy document, it can be copied into the AWS console or via CLI to that Principal.

Here is an example "Deny NotAction" policy for a user:

json
1
{
2
"Version": "2022-09-01",
3
"Statement": [
4
{
5
"Sid": "LPADenyUnusedPermissions",
6
"Effect": "Deny",
7
"NotAction": [
8
"ecr:BatchGetImage",
9
"ecr:DescribeImages",
10
"ecr:GetAuthorizationToken",
11
"ecr:DescribeRepositories"
12
],
13
"Resource": ["*"]
14
}
15
]
16
}

The above policy is based on the following Detailed Permission Usage output for the same user:

json
1
{
2
"end": "2022-08-31",
3
"page": 1,
4
"permissions": [
5
{
6
"action": "ecr.BatchGetImage",
7
"category": "read",
8
"count": 861,
9
"last_executed_date": "2022-08-31T03:25:52",
10
"permission": "ecr:batchgetimage",
11
"status": "Used"
12
},
13
{
14
"action": "ecr.DescribeImages",
15
"category": "read",
16
"count": 791,
17
"last_executed_date": "2022-08-31T03:25:51",
18
"permission": "ecr:describeimages",
19
"status": "Used"
20
},
21
{
22
"action": "ecr.DescribeRepositories",
23
"category": "read",
24
"count": 65,
25
"last_executed_date": "2022-08-31T03:05:38",
26
"permission": "ecr:describerepositories",
27
"status": "Used"
28
},
29
{
30
"action": "ecr.GetAuthorizationToken",
31
"category": "read",
32
"count": 857,
33
"last_executed_date": "2022-08-31T03:25:51",
34
"permission": "ecr:getauthorizationtoken",
35
"status": "Used"
36
},
37
{
38
"category": "read",
39
"permission": "ecr:batchchecklayeravailability",
40
"status": "Unused"
41
},
42
{
43
"category": "read",
44
"permission": "ecr:describeregistry",
45
"status": "Unused"
46
},
47
{
48
"category": "read",
49
"permission": "ecr:getdownloadurlforlayer",
50
"status": "Unused"
51
},
52
{
53
"category": "list",
54
"permission": "ecr:listimages",
55
"status": "Unused"
56
}
57
],
58
"principal": {
59
"name": "sample-principal",
60
"resource_id": "serviceuser:123456:AIDA12ABCDEF1ABCDEF1A:",
61
"resource_type": "serviceuser"
62
},
63
"start": "2022-06-02",
64
"total_pages": 1,
65
"warnings": {}
66
}