
Show HN: Policy_sentry, an AWS IAM Least Privilege Policy Generator - kmcquade
https://github.com/salesforce/policy_sentry
======
bashinator
Related, I've been wondering if there's a tool that will generate a least-
privilege policy out of an existing set of AWS CloudTrail records. It would be
wonderful if I could run terraform from an admin user, pull down the API
calls, and build a policy from them.

~~~
thefrozenone
I believe trailscraper
([https://github.com/flosell/trailscraper](https://github.com/flosell/trailscraper))
does this. See `trailscraper generate`.

~~~
kmcquade
It does, but some disclaimers: 1\. The generated policies have Resources set
to all, not to a specific resource ARN 2\. It downloads all of the CloudTrail
logs. This takes a while. Cloudtracker ([https://github.com/duo-
labs/cloudtracker](https://github.com/duo-labs/cloudtracker)) uses Amazon
Athena, which is more efficient. In the future, I'd like to see a combined
approach between all three of these tools to generate IAM policies based on
Cloudtrail logs. 3\. It is accurate to the point where there is a 1-to-1
mapping with the IAM actions vs CloudTrail logs. As I mentioned in other
comments, since not every IAM Action is logged in CloudTrail and not every
CloudTrail action matches IAM Actions, the results are not always accurate.

With that being said, it is a wicked tool and you should try it out.

~~~
bashinator
Thank you! I'm glad to see there's progress on this. I've been holding off
putting the infrastructure automation into CI/CD, due to the incredible amount
of work it would take to create a least-access policy. Tooling like this will
help a lot.

------
pawurb
Sorry for a shameless self-promotion but I've recently written a piece about
how it's a common practice to grant web apps a full access to S3 resources
using a simple IAM policy and what risks it causes
[https://pawelurbanek.com/s3-iam-config](https://pawelurbanek.com/s3-iam-
config)

------
jedberg
> and there's no automated tool that will automagically sense the AWS API
> calls that you perform and then write them for you in a least-privilege
> manner.

Netflix released one two years ago: [https://medium.com/netflix-
techblog/introducing-aardvark-and...](https://medium.com/netflix-
techblog/introducing-aardvark-and-repokid-53b081bf3a7e)

~~~
kmcquade
Aardvark and Repokid revoke privileges based on AWS Access Advisor, which
tells you when certain services have not been used within X amount of
days/months. But it only does this for services, not for actions. So the
resulting API calls are not very granular.

------
kevinsundar
I have a question, I recently had the opportunity to use AWS CDK
([https://docs.aws.amazon.com/cdk/latest/guide/home.html](https://docs.aws.amazon.com/cdk/latest/guide/home.html))
for a project. It seemed to me that CDK automatically does this to a certain
degree and if CDK is the future for AWS infrastructure provisioning, this
issue should organically go away. Anyone have any input?

~~~
k__
I don't know if it's really the future, but at least it's an alternative.

Some people claim it's the wrong way, because it's another abstraction between
a CFN-template and the CFN-engine (more moving parts, etc) and using a markup
language that restricts you a bit, makes things more manageable.

------
bloblaw
Neat project.

How does it differ from `aws-iam-generator` released by AWS themselves?

[https://github.com/awslabs/aws-iam-generator](https://github.com/awslabs/aws-
iam-generator)

~~~
kmcquade
Thanks!

aws-iam-generator still requires you to write the actual policy templates from
scratch, and then they allow you to re-use those policy templates.

Consider the JSON under this area of their README:
[https://github.com/awslabs/aws-iam-generator#managed-
policie...](https://github.com/awslabs/aws-iam-generator#managed-policies-
derived-from-a-jinja2-template)

It's essentially a method for managing their policies as code - but it doesn't
make those policies restricted to certain resources, unless you configure it
that way. Using `policy_sentry --write-policy --crud`, you have to supply a
file with resource ARNs, and it will write the policy for you, rather than
supplying a policy file, and hoping the ARNs fit that use case.

Does that make sense?

------
dmlittle
At first glance (by the name) I thought this was something that analyzed your
AWS usage based on API logs and created an "ideal" policy for to use (or
recommend permissions to remove/add).

~~~
kmcquade
Regarding your point on the API logs - there are some blunders on AWS's part
that make "policy suggestion" difficult. Behind the scenes right now, is still
AWS figuring out what IAM privileges actually correlate to what actions. A
simple example of this is the privilege s3:listallmybuckets correlates to the
action and subsequent CloudTrail event s3:listbuckets. It is insane to think
about, but AWS never kept track of those differences.

You also have the problem that not all actions are recorded by CloudTrail (ex.
cloudwatch:putmetricdata).

Now, I think that it's possible this tool could be extended to support that.
For example... you could use Amazon Athena to query CloudTrail logs from an S3
bucket, and then query the logs to determine which principals touch which
ARNs. For each IAM principal, create a list of ARNs. For each ARN, plug that
ARN into a policy_sentry yml file, and determine the CRUD level based on a
lazy comparison of the action listed in the cloudtrail log vs the reosurce
ARN. And then run the policy_sentry yml file to generate an IAM policy that
would have worked. But that's just my idea... actual implementation of that
would be a bigger effort than what I could take on myself.

If you are interested in that kind of feature, please comment and I'll point
this out to some other engineers who will be contributing to this tool as
well.

~~~
Twirrim
> It is insane to think about, but AWS never kept track of those differences.

Integration with cloudtrail sort of lands on teams, they suddenly get told
it's a priority for that quarter, they scramble around like mad, shove a
fresh-out-of-college hire on it with little oversight, and you get what you
get...

------
vageli
Is there any way to block the creation of policies containing specific
permissions or resources? I know this can be trivially circumvented but if
this tool is used in ci/cd it can be a good gate.

~~~
kmcquade
In the Terraform use case, that is probably possible if you hack together an
analysis of the JSON policy files generated by the Terraform module and then
allow/warn/deny based on the results. Alternatively, you could run the IAM
analysis portion of this tool after Terraform apply.

I should also mention that the IAM authoring aspect of this tool is more
mature than the policy analysis feature.

In CI/CD, if you are using Terraform, I suggest using Open Policy Agent for
blocking access to certain resources by evaluating a Terraform plan. I suppose
it's also possible to use OPA to evaluate the JSON output of a policy_sentry
YML file.

Hope this helps.

~~~
philsnow
[https://www.openpolicyagent.org/docs/latest/terraform/](https://www.openpolicyagent.org/docs/latest/terraform/)
very neat, I hadn't seen opa used in this way before.

~~~
kmcquade
Oh yeah it's super powerful. And it's not vendor-dependent like Sentinel & TF
Enterprise (although I really love TF Cloud).

Here's an example of using OPA + Conftest with Terraform that you might be
interested in: [https://github.com/kmcquade/conftest-terraform-
multifolder-p...](https://github.com/kmcquade/conftest-terraform-multifolder-
policies)

------
batoure
In a funny not serious but also totally serious way I want to be friends with
everyone who cares about the fact that this repo exists regardless of if they
think its worth using.

~~~
Terretta
In a funny not serious but also totally serious way: I want to hire everyone
who cares about the fact that this repo exists with the know-how to apply it.

// Email in profile.

~~~
batoure
sent via linkedin

------
OJFord
I completely understand (and have had) the problem, but I don't understand the
solution that this offers?

Or rather, I didn't without going Readme > Wiki > User Guide > something else
- a YAML example should really be in the readme, this looks great!

~~~
kmcquade
Good feedback - I will put that stuff in the README. Was thinking about doing
that earlier today. Thanks!

~~~
kmcquade
Updated.

