Level 200

A common task for security engineers is to grant the correct permissions set around the AWS environments applying the least privilege, keeping a central review access, continuous refinement, continuous policy validation. AWS IAM access analyzer provides these capabilities and allows you automate the process.
In this series you can learn how to apply the best practices and automate the process using IAM Access Analyzer and Amazon Boto3 SDK to automate the validation process with AWS Developer tools.

Use case

Imagine that you are a security engineer and must validate the IAM policies documents for IAM identity policies and Inline policies for permissions set. At the beginning a lot of these policies are defined in json format in source code and you must include the validation steps into the CD pipeline to manage the authorization as code.

Solution Overview

Requirements

• validate-aws-policies
• Python >= 3.10.4

AWS Services

• AWS IAM Access Analyzer: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.

• AWS SDK for Python (Boto3): Boto3 makes it easy to integrate your Python application, library, or script with AWS services including Amazon S3, Amazon EC2, Amazon DynamoDB, and more.

Hands On

First, explore the command line tool validate-aws-policies, this allows you to validate a set of policies defined into a folder in simple json format. This tool also allows to create the html report or pdf and also publish the results into a bucket in zip format.

validate-aws-policies -h
usage: validate-aws-policies [-h] [-c] [-u UPLOAD_REPORT] [-b] [-d DIRECTORY_POLICIES_PATH] [-p PROFILE] [-z] [-cp] [-v]

options:
  -h, --help            show this help message and exit
  -c, --ci              Run into pipeline if it's present
  -u UPLOAD_REPORT, --upload_report UPLOAD_REPORT
                        Upload reports to s3 bucket
  -b, --bucket_name     Use this flag for setting the bucket tool if --upload_report is present.
  -d DIRECTORY_POLICIES_PATH, --directory_policies_path DIRECTORY_POLICIES_PATH
                        Path where Policies are defined in json format
  -p PROFILE, --profile PROFILE
                        AWS cli profile for Access Analyzer Api
  -z, --zip_reports     Set in True if you want to create a zip file for reports
  -cp, --create_pdf_reports
                        Set it if you want to create a pdf report, this need wkhtmltopdf file for reports
  -v, --version         Print the package version

For example:

You must have a session with an AWS Profile, for this example the profile name is labvel-devsecops.

Finally, you can watch the html report in your browser or in the terminal output.

The report is created in the same path where you run the command with the date and in html report by default for example: AccessAnalyzerReport_2024-08-04 13:12:07.285648.html.

You can find the source code here:

$ pip install --upgrade validate-aws-policies

$ aws codeartifact login --tool pip --repository <repository_name> --domain <domain> --domain-owner <123456789012>  --profile <profile_name> --region <repository_region>
$ pip install --upgrade validate-aws-policies

Thanks for reading and sharing!! 🤓🤓