hngopher.com

       [HN Gopher] Normalizing AWS IAM Policies for use in automated an...
       ___________________________________________________________________
        
       Normalizing AWS IAM Policies for use in automated analysis
        
       Author : dboeke
       Score  : 21 points
       Date   : 2021-02-11 19:51 UTC (3 hours ago)
        
 (HTM) web link (steampipe.io)
 (TXT) w3m dump (steampipe.io)
        
       | ocdnix wrote:
       | Reminds me of Lyft's thing from a couple of months ago:
       | https://news.ycombinator.com/item?id=25000950
       | 
       | I would love to get answers to questions like "which users have
       | access to resource X, including implicitly through one or more
       | assume-role jumps, across these N accounts, including stuff like
       | iam:PassRole, even including tag-based policies?". Add a time
       | dimension too, like "who had access to X between Jun and Aug
       | 2020?", and you'd have a winner. Would such queries be possible
       | here?
        
         | whoknew1122 wrote:
         | I just glanced over the source, but I think the answer is no in
         | both cases.
         | 
         | > "which users have access to resource X, including implicitly
         | through one or more assume-role jumps, across these N accounts,
         | including stuff like iam:PassRole, even including tag-based
         | policies?"
         | 
         | This would be difficult to pull off because you'd need to make
         | separate calls to each of your accounts to determine this sort
         | of thing. And if you're looking at assuming roles through
         | mulitple accounts, you have to consider whether external Ids
         | are defined.
         | 
         | And if external Ids are defined, how do you handle that? Do you
         | assume the caller has the external Id?
         | 
         | > "who had access to X between Jun and Aug 2020?"
         | 
         | This one would be easier, but would require integration with
         | AWS Config.
        
         | fatjohnny wrote:
         | The joins are very powerful. For example - you can connect a
         | lambda function to its IAM role and then right through to the
         | attached policies. We have quite a few join examples scattered
         | through the AWS table docs. For tags, Steampipe actually
         | normalizes a tags column across AWS, Azure, GCP & DigitalOcean
         | tables. It's always available as a JSONB {"foo":"bar"} format,
         | even if the source was labels like DigitalOcean, so definitely
         | possible to find resources with specific tags. We have multi-
         | account on the near-term roadmap, but the idea of historical
         | searches is a super interesting and challenging idea... we
         | haven't started to contemplate yet. Perhaps using snapshots
         | into a materialized view would work for comparisons over time?
        
       | fatjohnny wrote:
       | Hey ... author here. Happy to answer any questions, and would
       | love your feedback or suggestions!
        
         | whoknew1122 wrote:
         | Hey there. This looks interesting. It looks like you're
         | enumerating IAM managed policies. How do you handle inline
         | policies? That seems like it'd be a blindspot if you're just
         | enumerating the policies the account.
        
           | fatjohnny wrote:
           | We also return the inline policies for users, groups, and
           | roles. There's an open issue to convert them to standard form
           | that I expect will be done in the next week, so this will
           | also be possible.
        
       ___________________________________________________________________
       (page generated 2021-02-11 23:02 UTC)