Summary Prerequisites and limitations Architecture Tools Epics Related resources

Dynamically generate an IAM policy with IAM Access Analyzer by using Step Functions

Created by Thomas Scott (AWS), Adil El Kanabi (AWS), Koen van Blijderveen (AWS), and Rafal Pawlaszek (AWS)

Code repository: Automated IAM Access Analyzer Role Policy Generator	Environment: PoC or pilot	Technologies: Security, identity, compliance; Serverless
AWS services: AWS IAM Access Analyzer; AWS Lambda; AWS Step Functions; AWS Identity and Access Management

Summary

Least-privilege is the security best practice of granting the minimum permissions required to perform a task. Implementing least-privilege access in an already active Amazon Web Services (AWS) account can be challenging because you don’t want to unintentionally block users from performing their job duties by changing their permissions. Before you can implement AWS Identity and Access Management (IAM) policy changes, you need to understand the actions and resources the account users are performing.

This pattern is designed to help you apply the principle of least-privilege access, without blocking or slowing down team productivity. It describes how to use IAM Access Analyzer and AWS Step Functions to dynamically generate an up-to-date IAM policy for your role, based on the actions that are currently being performed in the account. The new policy is designed to permit the current activity but remove any unnecessary, elevated privileges. You can customize the generated policy by defining allow and deny rules, and the solution integrates your custom rules.

This pattern includes options for implementing the solution with AWS Cloud Development Kit (AWS CDK) or HashiCorp CDK for Terraform (CDKTF). You can then associate the new policy to the role by using a continuous integration and continuous delivery (CI/CD) pipeline. If you have a multi-account architecture, you can deploy this solution in any account where you want to generate updated IAM policies for the roles, increasing the security of your entire AWS Cloud environment.

Prerequisites and limitations

Prerequisites

An active AWS account with a CloudTrail trail enabled.
IAM permissions for the following:
- Create and deploy Step Functions workflows. For more information, see Actions, resources, and condition keys for AWS Step Functions (Step Functions documentation).
- Create AWS Lambda functions. For more information, see Execution role and user permissions (Lambda documentation).
- Create IAM roles. For more information, see Creating a role to delegate permissions to an IAM user (IAM documentation).
npm installed. For more information, see Downloading and installing Node.js and npm (npm documentation).
If you are deploying this solution with AWS CDK (Option 1):
- AWS CDK Toolkit, installed and configured. For more information, see Install the AWS CDK (AWS CDK documentation).
If you are deploying this solution with CDKTF (Option 2):
- CDKTF, installed and configured. For more information, see Install CDK for Terraform (CDKTF documentation).
- Terraform, installed and configured. For more information, see Get Started (Terraform documentation).
AWS Command Line Interface (AWS CLI) locally installed and configured for your AWS account. For more information, see Installing or updating the latest version of the AWS CLI (AWS CLI documentation).

Limitations

This pattern does not apply the new IAM policy to the role. At the end of this solution, the new IAM policy is stored in a CodeCommit repository. You can use a CI/CD pipeline to apply policies to the roles in your account.

Architecture

Target architecture

The Step Functions workflow generating a new policy and storing it in CodeCommit.

A regularly scheduled Amazon EventBridge event rule starts a Step Functions workflow. You define this regeneration schedule as part of setting up this solution.
In the Step Functions workflow, a Lambda function generates the date ranges to use when analyzing account activity in the CloudTrail logs.
The next workflow step calls the IAM Access Analyzer API to start generating the policy.
Using the Amazon Resource Name (ARN) of the role you specify during set up, IAM Access Analyzer analyzes the CloudTrail logs for activity within the specified date rate. Based on the activity, IAM Access Analyzer generates an IAM policy that permits only the actions and services used by the role during the specified date range. When this step is complete, this step generates a job ID.
The next workflow step checks for the job ID every 30 seconds. When the job ID is detected, this step uses the job ID to call the IAM Access Analyzer API and retrieve the new IAM policy. IAM Access Analyzer returns the policy as a JSON file.
The next workflow step puts the <IAM role name>/policy.json file in an Amazon Simple Storage Service (Amazon S3) bucket. You define this S3 bucket as part of setting up this solution.
An Amazon S3 event notification starts a Lambda function.
The Lambda function retrieves the policy from the S3 bucket, integrates the custom rules you define in the allow.json and deny.json files, and then pushes the updated policy to CodeCommit. You define the CodeCommit repository, branch, and folder path as part of setting up this solution.

Tools

AWS services

AWS Cloud Development Kit (AWS CDK) is a software development framework that helps you define and provision AWS Cloud infrastructure in code.
AWS CDK Toolkit is a command line cloud development kit that helps you interact with your AWS Cloud Development Kit (AWS CDK) app.
AWS CloudTrail helps you audit the governance, compliance, and operational risk of your AWS account.
AWS CodeCommit is a version control service that helps you privately store and manage Git repositories, without needing to manage your own source control system.
AWS Command Line Interface (AWS CLI) is an open-source tool that helps you interact with AWS services through commands in your command-line shell.
AWS Identity and Access Management (IAM) helps you securely manage access to your AWS resources by controlling who is authenticated and authorized to use them. This pattern uses IAM Access Analyzer, a feature of IAM, to analyze your CloudTrail logs to identify actions and services that have been used by an IAM entity (user or role) and then generate an IAM policy that is based on that activity.
AWS Lambda is a compute service that helps you run code without needing to provision or manage servers. It runs your code only when needed and scales automatically, so you pay only for the compute time that you use.
Amazon Simple Storage Service (Amazon S3) is a cloud-based object storage service that helps you store, protect, and retrieve any amount of data.
AWS Step Functions is a serverless orchestration service that helps you combine AWS Lambda functions and other AWS services to build business-critical applications. In this pattern, you use AWS SDK service integrations in Step Functions to call service API actions from your workflow.

Other tools

CDK for Terraform (CDKTF) helps you define infrastructure as code (IaC) by using common programming languages, such as Python and Typescript.
Lerna is a build system for managing and publishing multiple JavaScript or TypeScript packages from the same repository.
Node.js is an event-driven JavaScript runtime environment designed for building scalable network applications.
npm is a software registry that runs in a Node.js environment and is used to share or borrow packages and manage deployment of private packages.

Code repository

The code for this pattern is available in the GitHub Automated IAM Access Analyzer Role Policy Generator repository.

Epics

Task	Description	Skills required
Clone the repo.	The following command clones the Automated IAM Access Analyze Role Policy Generator (GitHub) repository. `git clone https://github.com/aws-samples/automated-iam-access-analyzer.git`	App developer
Install Lerna.	The following command installs Lerna. `npm i -g lerna`	App developer
Set up the dependencies.	The following command installs the dependencies for the repository. `cd automated-iam-access-advisor/ npm install && npm run bootstrap`	App developer
Build the code.	The following command tests, builds, and prepares the zip packages of the Lambda functions. `npm run test:code npm run build:code npm run pack:code`	App developer
Build the constructs.	The following command builds the infrastructure synthesizing applications, for both AWS CDK and CDKTF. `npm run build:infra`
Configure any custom permissions.	In the repo folder of the cloned repository, edit the allow.json and deny.json files to define any custom permissions for the role. If the allow.json and deny.json files contain the same permission, the deny permission is applied.	AWS administrator, App developer

Task Description Skills required

Task	Description	Skills required
Deploy the AWS CDK stack.	The following command deploys the infrastructure through AWS CloudFormation. Define the following parameters: `<NAME_OF_ROLE>` – The ARN of the IAM role for which you are creating a new policy. `<TRAIL_ARN>` – The ARN of the CloudTrail trail in which the role activity is stored. `<CRON_EXPRESSION_TO_RUN_SOLUTION>` – The Cron expression that defines the regeneration schedule for the policy. The Step Functions workflow runs on this schedule. `<TRAIL_LOOKBACK>` – The period, in days, to look back in the trail when evaluating the role permissions. `cd infra/cdk cdk deploy —-parameters roleArn=<NAME_OF_ROLE> \ —-parameters trailArn=<TRAIL_ARN> \ --parameters schedule=<CRON_EXPRESSION_TO_RUN_SOLUTION> \ [ --parameters trailLookBack=<TRAIL_LOOKBACK> ]` Note – The square brackets denote optional parameters.	App developer
(Optional) Wait for the new policy.	If the trail does not contain a reasonable amount of historical activity for the role, wait until you are confident that there is enough logged activity for IAM Access Analyzer to generate an accurate policy. If the role has been active in the account for a sufficient period of time, this waiting period might not be necessary.	AWS administrator
Manually review the generated policy.	In your CodeCommit repository, review the generated <ROLE_ARN>.json file to confirm that the allow and deny permissions are appropriate for the role.	AWS administrator

Deploy the AWS CDK stack.

The following command deploys the infrastructure through AWS CloudFormation. Define the following parameters:

<NAME_OF_ROLE> – The ARN of the IAM role for which you are creating a new policy.
<TRAIL_ARN> – The ARN of the CloudTrail trail in which the role activity is stored.
<CRON_EXPRESSION_TO_RUN_SOLUTION> – The Cron expression that defines the regeneration schedule for the policy. The Step Functions workflow runs on this schedule.
<TRAIL_LOOKBACK> – The period, in days, to look back in the trail when evaluating the role permissions.


cd infra/cdk
cdk deploy —-parameters roleArn=<NAME_OF_ROLE> \
—-parameters trailArn=<TRAIL_ARN> \
--parameters schedule=<CRON_EXPRESSION_TO_RUN_SOLUTION> \
[ --parameters trailLookBack=<TRAIL_LOOKBACK> ]

Note – The square brackets denote optional parameters.

App developer

(Optional) Wait for the new policy.

If the trail does not contain a reasonable amount of historical activity for the role, wait until you are confident that there is enough logged activity for IAM Access Analyzer to generate an accurate policy. If the role has been active in the account for a sufficient period of time, this waiting period might not be necessary.

AWS administrator

Manually review the generated policy.

In your CodeCommit repository, review the generated <ROLE_ARN>.json file to confirm that the allow and deny permissions are appropriate for the role.

AWS administrator

Task	Description	Skills required
Synthesize the Terraform template.	The following command synthesizes the Terraform template. `lerna exec cdktf synth --scope @aiaa/tfm`	App developer
Deploy the Terraform template.	The following command navigates to the directory that contains the CDKTF-defined infrastructure. `cd infra/cdktf` The following command deploys the infrastructure in the target AWS account. Define the following parameters: `<account_ID>` – The ID of the target account. `<region>` - The target AWS Region. `<selected_role_ARN>` – The ARN of the IAM role for which you are creating a new policy. `<trail_ARN>` – The ARN of the CloudTrail trail in which the role activity is stored. `<schedule_expression>` – The Cron expression that defines the regeneration schedule for the policy. The Step Functions workflow runs on this schedule. `<trail_look_back>` – The period, in days, to look back in the trail when evaluating the role permissions. `TF_VAR_accountId=<account_ID> \ TF_VAR_region=<region> \ TF_VAR_roleArns=<selected_role_ARN> \ TF_VAR_trailArn=<trail_ARN> \ TF_VAR_schedule=<schedule_expression> \ [ TF_VAR_trailLookBack=<trail_look_back> ] \ cdktf deploy` Note – The square brackets denote optional parameters.	App developer
(Optional) Wait for the new policy.	If the trail does not contain a reasonable amount of historical activity for the role, wait until you are confident that there is enough logged activity for IAM Access Analyzer to generate an accurate policy. If the role has been active in the account for a sufficient period of time, this waiting period might not be necessary.	AWS administrator
Manually review the generated policy.	In your CodeCommit repository, review the generated <ROLE_ARN>.json file to confirm that the allow and deny permissions are appropriate for the role.	AWS administrator

Related resources

AWS resources

Other resources

CDK for Terraform (Terraform website)

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Detect Amazon RDS instances with expiring CA certificates

Enable GuardDuty using CloudFormation templates