[HN Gopher] Launch HN: Slauth.io (YC S22) - IAM Policy Auto-Gene...
___________________________________________________________________
Launch HN: Slauth.io (YC S22) - IAM Policy Auto-Generation
Hey HN, we are Daniel and Tal, Co-founders of Slauth.io
(https://www.slauth.io). Slauth auto-generates IAM policies in
order to save engineering time and make your policies more secure.
If you're an engineer, you probably know how tedious and error-
prone it can be to manually write IAM policies. We surveyed over 70
engineers and found out that a majority are using or have used
wildcards (*) in order to quickly write IAM policies. By using
client-side monitoring or via a proxy, Slauth.io observes all of
the API activity and generates a policy based on functionality and
least privileges. Once deployed in a remote environment, or run
locally, you will need to run an end-to-end test using a wildcard
policy. Slauth will observe the activity, apply its logic based on
large amounts of behavioral patterns of the service you deploy, and
create a high quality IAM policy. The IAM policy will be presented
through the Slauth Dashboard where it can be copy/pasted or as a
pull-request into your Git repository ready to be reviewed.
Integrations with IaC services such as Terraform are also
available. Our objective is to automate manual error-prone IAM
policy writing in order to increase engineering velocity, reduce
friction and harden security. Would love your feedback on the
value proposition and if you would use the AWS SDK or Slauth proxy
for onboarding. Feel free to also sign up for Beta usage!
https://www.slauth.io
Author : DanielSlauth
Score : 57 points
Date : 2022-12-18 15:39 UTC (7 hours ago)
| asdfzalsd wrote:
| The fact that there is a entire service because AWS is so
| confusing is hilarious.
| DanielSlauth wrote:
| We eventually want to make this agnostic and have it work for
| all cloud vendors. Pretty complex to write policies if you are
| running multi-cloud!
| pfoof wrote:
| Also a tool that will detect when more permissions are needed
| will be appreciated. For now it's running `tf apply`, getting
| 403, searching and reading CloudTrail, changing one permission,
| goto 1
| tal-slauth wrote:
| That's definitely something we are addressing! Would you like
| to sign up for the beta? Will love getting your feedback and
| helping you remediate this pain
| leonardinius wrote:
| I have used https://github.com/iann0036/iamlive with great
| success in the past. On high level, the approach you are
| describing is iamlive on steroids and UX improved.
|
| Kudos on launch, will check your beta
| cube2222 wrote:
| Could you expand on how this compares to IAM's built-in Access
| Analyzer[0]?
|
| [0]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access-
| anal...
| DanielSlauth wrote:
| We have found several "problems" that we think can be done
| better 1) CloudTrail requires to run for a duration of time
| before suggesting a policy which means long time until getting
| value. What do you do until the suggestion? Run a less secure
| policy? 2) CloudTrial actually doesn't log all events so we are
| using either AWS SDK metrics or a proxy to make sure we get all
| activity 3) Integrations with Terraform, Git repository in
| order to make it easy to use in day to day 4) Hopefully in the
| future we can extend to other cloud vendors :)
| tal-slauth wrote:
| To add some more pros, Access Analyzer has limits on the amount
| of policies you can generate at a certain time and doesn't
| support all AWS services
| ramimac wrote:
| How would you compare your offering to
| https://github.com/iann0036/iamlive (an opensource implementation
| of IAM generation from client-side monitoring or proxy, released
| in Feb 2021)?
| tal-slauth wrote:
| We definitely love iamlive! Iamlive is easy to operate manually
| on a single instance, and outputs the results to the terminal,
| making it great for local exploration. We focus on observing
| IAM at scale, collecting data from multiple sources - local /
| staging / per-developer environments etc. We know to find the
| relevant IaC code piece and generate policies in the form of
| Git Pull Requests.
| berkle4455 wrote:
| The time to the first content paint on that website is incredibly
| slow.
| igammarays wrote:
| When you need a whole YC-funded startup just to configure
| permissions of your cloud host, you know something is rotten
| about this entire industry.
| leongold wrote:
| Great idea! I can definitely see this getting serious traction
| alon7 wrote:
| Looks great. Any thoughts about expanding to GCP in the future?
| DanielSlauth wrote:
| Yes def! We wanted to quickly validate the need so started with
| AWS but if we get good traction we will expand to GCP next :)
| Feel free to share with AWS users so that we can get going :D
| Alifatisk wrote:
| I like the website but I wish I could control the slider between
| insecure policy and secure policy, it's a bit too fast.
| erikerikson wrote:
| See also: https://github.com/puresec/serverless-puresec-cli
| DanielSlauth wrote:
| Thanks! Will have a look. Have you used it? If so, would love
| to learn what you liked and didn't like
| bastawhiz wrote:
| > 3 IAM policies per month
|
| This is... Not a useful number of policies. I've got a terraform
| setup for my one person business and I probably have two orders
| of magnitude more policies than this.
|
| Who is this targeted at? Which policies am I supposed to use
| these three on? What kind of service only has three policies? How
| am I supposed to evaluate your service with this small number of
| policies? The problem is that they might be the "perfect" global
| maximum goodness policies, but they exist in a web of policies
| that all need to be correct together. So three does nothing to
| show me how good your service is, and it's not useful (afaict)
| for ongoing work.
|
| Here's how I can see you fixing this:
|
| - Just charge me. Give me a trial. Let me pay up front and have a
| money back policy. Let me generate what I need and see whether
| it's useful.
|
| - Give me unlimited free policies, but charge for things like
| tightening down resource access (e.g., narrowing access to
| specific S3 buckets instead of just narrowing access to S3).
| DanielSlauth wrote:
| Thank you for the feedback!! We needed something to start of
| with but your arguments are very fair so we will have to change
| it. Would you like to sign up for the Beta and give it a try?
| Would absolutely love your opinionated feedback :D Also, how
| much would you pay? Could you give us some insights there.
| bastawhiz wrote:
| If you dumped out terraform code for policies, I'd probably
| pay up to $150/mo for some very reasonable number of policies
| (200?).
| cpach wrote:
| Website down...?
| DanielSlauth wrote:
| Getting slower haha... HN is generating traffic but will have
| to ask Webflow what's going on lol
| based2 wrote:
| https://airiam.io/
|
| https://github.com/JamesWoolfenden/pike
| tal-slauth wrote:
| Thanks!
|
| Didn't know about Pike :) Looks interesting, though it is based
| on a static analysis approach which has its downsides since it
| might not look the same as the actual activity.
|
| AirIAM was an inspiration for us - it is generally good to
| group users together and for finding unused policies. We focus
| on generating an exact policy per identity.
| jedberg wrote:
| Are you familiar with ConsoleMe from Netflix?
| https://netflixtechblog.com/consoleme-a-central-control-plan...
|
| It sounds like your product is very similar, so you might be able
| to borrow some ideas.
| DanielSlauth wrote:
| Thanks!! Looks really good. I hope we can contribute from a
| different angle by focussing on the creation of the policy and
| ideally expand beyond AWS :) Thanks for the heads up
| tal-slauth wrote:
| Thanks! We were partially inspired by it. Our approach is
| slightly different - we believe we shouldn't be the focal point
| of IAM but rather integrate with the existing tools
| organizations use such as Git, Terraform etc
___________________________________________________________________
(page generated 2022-12-18 23:01 UTC)