This content originally appeared on DEV Community and was authored by Alejandro Velez
Level 200
A common task for security engineers is to grant the correct permissions set around the AWS environments applying the least privilege, keeping a central review access, continuous refinement, continuous policy validation. AWS IAM access analyzer provides these capabilities and allows you automate the process.
In this series you can learn how to apply the best practices and automate the process using IAM Access Analyzer and Amazon Boto3 SDK to automate the validation process with AWS Developer tools.
Use case
Imagine that you are a security engineer and must validate the IAM policies documents for IAM identity policies and Inline policies for permissions set. At the beginning a lot of these policies are defined in json
format in source code and you must include the validation steps into the CD pipeline to manage the authorization as code.
Solution Overview
Requirements
- validate-aws-policies
- Python >= 3.10.4
AWS Services
AWS IAM Access Analyzer: AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. With IAM, you can manage permissions that control which AWS resources users can access. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM provides the infrastructure necessary to control authentication and authorization for your AWS accounts.
AWS SDK for Python (Boto3): Boto3 makes it easy to integrate your Python application, library, or script with AWS services including Amazon S3, Amazon EC2, Amazon DynamoDB, and more.
Hands On
First, explore the command line tool validate-aws-policies, this allows you to validate a set of policies defined into a folder in simple json format. This tool also allows to create the html report or pdf and also publish the results into a bucket in zip format.
validate-aws-policies -h
usage: validate-aws-policies [-h] [-c] [-u UPLOAD_REPORT] [-b] [-d DIRECTORY_POLICIES_PATH] [-p PROFILE] [-z] [-cp] [-v]
options:
-h, --help show this help message and exit
-c, --ci Run into pipeline if it's present
-u UPLOAD_REPORT, --upload_report UPLOAD_REPORT
Upload reports to s3 bucket
-b, --bucket_name Use this flag for setting the bucket tool if --upload_report is present.
-d DIRECTORY_POLICIES_PATH, --directory_policies_path DIRECTORY_POLICIES_PATH
Path where Policies are defined in json format
-p PROFILE, --profile PROFILE
AWS cli profile for Access Analyzer Api
-z, --zip_reports Set in True if you want to create a zip file for reports
-cp, --create_pdf_reports
Set it if you want to create a pdf report, this need wkhtmltopdf file for reports
-v, --version Print the package version
For example:
You must have a session with an AWS Profile, for this example the profile name is labvel-devsecops.
Finally, you can watch the html report in your browser or in the terminal output.
The report is created in the same path where you run the command with the date and in html report by default for example:
AccessAnalyzerReport_2024-08-04 13:12:07.285648.html
.
You can find the source code here:
velez94 / validate-aws-policies
Python CLI to validate aws policies using boto3 and Access Analyzer API
Validate AWS policies
This package scan AWS SCP policies and create report in HTML and PDF format.
Pre-Requirements
Setup AWS Cli profile for interacting with IAM access analyzer API using IAM or SSO credentials.
Requirements
- python >= 3.8
Install
$ pip install --upgrade validate-aws-policies
From AWS CodeArtifacts repository
You must have a user into AWS account Sophos Organization, it could be for projects, products, or IT internal Organizations. Before create AWS CLI profile using AWS IAM Identity Center (SSO) or IAM.
- Configure your pip cli for download package from private CodeArtifacts repository
$ aws codeartifact login --tool pip --repository <repository_name> --domain <domain> --domain-owner <123456789012> --profile <profile_name> --region <repository_region>
$ pip install --upgrade validate-aws-policies
From Azure Artifacts repository
Project setup
Ensure you have installed the latest version of the Azure Artifacts keyring from the "Get the tools" menu.
If you don't already have one, create a virtualenv using these instructions from…
Thanks for reading and sharing!! 🤓🤓
This content originally appeared on DEV Community and was authored by Alejandro Velez
Alejandro Velez | Sciencx (2024-08-04T21:14:55+00:00) Continuous Delivery applied to Authorization with IAM Identity Center and AWS IAM Access Analyzer – Part 1. Retrieved from https://www.scien.cx/2024/08/04/continuous-delivery-applied-to-authorization-with-iam-identity-center-and-aws-iam-access-analyzer-part-1/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.