Cross-service confused deputy prevention - AWS IoT Analytics

Cross-service confused deputy prevention

The confused deputy problem is a security issue where an entity that doesn't have permission to perform an action can coerce a more-privileged entity to perform the action. In AWS, cross-service impersonation can result in the confused deputy problem. Cross-service impersonation can occur when one service (the calling service) calls another service (the called service). The calling service can be manipulated to use its permissions to act on another customer's resources in a way it shouldn't otherwise have permission to access. To prevent this, AWS provides tools that help you protect your data for all services, with service principals that have been given access to resources in your account.

We recommend using the aws:SourceArn and aws:SourceAccount global condition context keys in resource policies. This limits the permissions that AWS IoT Analytics gives another service to the resource. If you use both global condition context keys, the aws:SourceAccount value and the account in the aws:SourceArn value must use the same account ID when used in the same policy statement.

The most effective way to protect against the confused deputy problem is to use the aws:SourceArn global condition context key with the full Amazon Resource Name (ARN) of the resource. If you don't know the full ARN of the resource or if you're specifying multiple resources, use the aws:SourceArn global context condition key with wildcards (*) for the unknown portions of the ARN. For example, arn:aws:iotanalytics::123456789012:*.

Prevention for Amazon S3 buckets

If you use customer managed Amazon S3 storage for your AWS IoT Analytics data store, the Amazon S3 bucket that stores your data may be exposed to confused deputy issues.

For example, Nikki Wolf uses a customer owned Amazon S3 bucket called DOC-EXAMPLE-BUCKET. The bucket stores information for an AWS IoT Analytics data store that was created in the Region us-east-1. She specifies a policy that enables the AWS IoT Analytics service principal to query DOC-EXAMPLE-BUCKET on her behalf. Nikki's coworker, Li Juan, queries DOC-EXAMPLE-BUCKET from her own account and creates a dataset with the results. As a result, the AWS IoT Analytics service principal queried Nikki’s Amazon S3 bucket on Li's behalf even though Li ran the query from her account.

To prevent this, Nikki can specify the aws:SourceAccount condition or the aws:SourceArn condition in the policy for DOC-EXAMPLE-BUCKET.

Specify the aws:SourceAccount condition ‐ The following example of a bucket policy specifies that only the AWS IoT Analytics resources from Nikki's account (123456789012) can access DOC-EXAMPLE-BUCKET.

{ "Version": "2012-10-17", "Id": "MyPolicyID", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "iotanalytics.amazonaws.com" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" } } } ] }

Specify the aws:SourceArn condition ‐ Alternatively, Nikki can use the aws:SourceArn condition.

{ "Version": "2012-10-17", "Id": "MyPolicyID", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "iotanalytics.amazonaws.com" }, "Action": [ "s3:GetBucketLocation", "s3:GetObject", "s3:ListBucket", "s3:ListBucketMultipartUploads", "s3:ListMultipartUploadParts", "s3:AbortMultipartUpload", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::DOC-EXAMPLE-BUCKET", "arn:aws:s3:::DOC-EXAMPLE-BUCKET/*" ], "Condition": { "ArnLike": { "aws:SourceArn": [ "arn:aws:iotanalytics:us-east-1:123456789012:dataset/DOC-EXAMPLE-DATASET", "arn:aws:iotanalytics:us-east-1:123456789012:datastore/DOC-EXAMPLE-DATASTORE" ] } } } ] }

Prevention with Amazon CloudWatch Logs

You can prevent the confused deputy problem while monitoring with Amazon CloudWatch Logs. The following resource policy shows how to prevent the confused deputy problem with:

  • The global condition context key, aws:SourceArn

  • The aws:SourceAccount with your AWS account ID

  • The customer resource that is associated with the sts:AssumeRole request in AWS IoT Analytics

Replace 123456789012 with your AWS account ID, and us-east-1 with the Region of your AWS IoT Analytics account in the following example.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "iotanalytics.amazonaws.com" }, "Action": "logs:PutLogEvents", "Resource": "*", "Condition":{ "ArnLike":{ "aws:SourceArn":"arn:aws:iotanalytics:us-east-1:123456789012:*/*" }, "StringEquals":{ "aws:SourceAccount":"123456789012" } } ] }

For more information about enabling and configuring Amazon CloudWatch Logs, see Logging and monitoring in AWS IoT Analytics.

Confused deputy prevention for customer managed AWS IoT Analytics resources

If you grant AWS IoT Analytics permission to perform actions on your AWS IoT Analytics resources, the resources may be exposed to confused deputy issues. To prevent the confused deputy problem, you can limit the permissions given to AWS IoT Analytics with the following example resource policies.

Prevention for AWS IoT Analytics channels and data stores

You use IAM roles to control the AWS resources that AWS IoT Analytics can access on your behalf. To prevent exposing your role to the confused deputy problem, you can specify the AWS account in the aws:SourceAccount element and the ARN of the AWS IoT Analytics resource in the aws:SourceArn element of the trust policy that you attach to a role.

In the following example, replace 123456789012 with your AWS account ID and arn:aws:iotanalytics:aws-region:123456789012:channel/DOC-EXAMPLE-CHANNEL with the ARN of an AWS IoT Analytics channel or data store.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExamplePolicy", "Effect": "Allow", "Principal": { "Service": "iotanalytics.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:iotanalytics:aws-region:123456789012:channel/DOC-EXAMPLE-CHANNEL" } } } ] }

To learn more about customer managed S3 storage options for channels and data stores, see CustomerManagedChannelS3Storage and CustomerManagedDatastoreS3Storage in the AWS IoT Analytics API Reference.

Cross-service confused deputy prevention for AWS IoT Analytics dataset content delivery rules

The IAM role that AWS IoT Analytics assumes to deliver dataset query results to Amazon S3 or to AWS IoT Events can be exposed to confused deputy issues. To prevent the confused deputy problem, specify the AWS account in the aws:SourceAccount element and the ARN of the AWS IoT Analytics resource in the aws:SourceArn element of the trust policy that you attach to your role.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "ConfusedDeputyPreventionExampleTrustPolicyDocument", "Effect": "Allow", "Principal": { "Service": "iotanalytics.amazonaws.com" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws:iotanalytics:aws-region:123456789012:dataset/DOC-EXAMPLE-DATASET" } } } ] }

For more details about configuring dataset content delivery rules, see contentDeliveryRules in the AWS IoT Analytics API Reference