SSRF Defense Step 3: Eliminate Excessive IAM Data Access Permissions
The final guardrail in our SSRF Defense series is all about eliminating IAM policies with excessive data access permissions. For anyone new to this series, these solutions are based on Rich Mogull’s post on breaking the kill chain in AWS using IAM roles.
As Rich explained, AWS offers ways to get credentials which enable API access and remote calls. Some of those functions, such as the metadata service, are core to how AWS works so they aren’t just going away. The protection challenge is how to configure things securely, understanding we can’t just rely on credentials for secure authorization.
Breaking the Kill Chain
This time we will break the kill chain by finding and eliminating policies which allow excessive data access permissions. The key to making this logic work in a complex cloud deployment is to allow flexibility in how you identify “excessive”. Our implementation allows you to control the maximum number of buckets/tables, and filter by permissions; so we can identify all IAM policies (managed and inline) which allow operations on tables, buckets, and objects.
Our first opportunity is to identify users, groups, or roles with excessive S3 bucket permissions.
- D:Ops Guardrail: Either restrict S3 IAM policy data access or remove exposed data actions from IAM statement.
Similarly if we identify and users, groups, or roles with excessive DynamoDB table permissions we can correct them.
- D:Ops Guardrail: Either remove exposed data actions from IAM statements or restrict DynamoDB IAM user data access.
The 3 guardrails in this series now represent an automated set of restrictions that eliminates the SSRF attack vector:
- Manage EC2 and ECS Data Exposure to DynamoDB and S3
- Manage IAM Role Location Restrictions
- Eliminate Excessive IAM Data Access Permissions
Don’t hesitate to reach out with questions or, try out our platform free and use the new analysis on your own cloud. It takes less than 20 minutes and no resources to start using our product.