SSRF Defense Step 2: Manage IAM Role Location Restrictions
The second guardrail in our SSRF Defense series is all about managing IAM role location restrictions. For anyone new to this series, these solutions are based around Rich Mogull’s post on breaking the kill chain in AWS using IAM roles.
The Problem: Protecting Against SSRF
As Rich explained, there are ways within AWS to get AWS credentials which allow API access and remote call execution. Some of those functions, like the metadata service, are core to how AWS works so they aren’t going away. The protection challenge is how to configure things, knowing we can’t just rely on the credentials for authorization.
Breaking the Kill Chain – Manage IAM Role Location Restrictions
This time we will focus on breaking the kill chain by ensuring policies restrict IAM role usage to specified locations. The key to making this logic work in a complex cloud deployment is to allow flexibility in how you restrict location. Our implementation enables you to restrict by network (IP), VPC, or AWS tags.
Our first opportunity is to restrict use of an IAM role (AssumeRole) to a set of known network IPs.
- D:Ops Guardrail: Correct any IAM role policies that allow access beyond a range of known CIDR blocks.
If IP isn’t an easy way to specify access source locations, you can use VPCs. Here there are 3 ways to think about it: specific ARNs, all account VPCs, or all organizational VPCs. Obviously the more restrictive the better, but any of them can be highly effective.
- D:Ops Guardrail: Correct any IAM role policies that allow for access beyond either specific VPC ARNs, the VPCs of the account, or the VPCs of the organization. Whichever method is preferred will be the one used to correct any incorrect policy definitions.
Finally, if IP and VPCs aren’t easy ways to specify permitted source locations, you can use AWS tags. This can be very powerful if your tag management process is reliable.
- D:Ops Guardrail: Correct any IAM role policies that allow access beyond resources with specific tags.
Check back soon to see what other SSRF Defense functionality we are releasing. Or try our platform out free and analyze your own cloud. It takes less than 20 minutes and no resources to start using our product.