AWS IAM Access Analyzer should help keep S3 buckets and objects from being public

Due to the complexity around AWS permissions, it’s easy to accidentally misconfigure buckets and leave them open to the public.

AWS re:Invent, one of the last shows for the year, was held this week. While much of the news from the show is a little outside of our focus, there was one interesting announcement we looked into: Amazon announced the AWS Identity & Access Management Access Analyzer. It was developed to help organizations stay on top of their AWS resources and prevent leaks that we’ve heard about throughout the year. 

(Editor’s note from Jack: Speaking of AWS, we’re working on getting a briefing on the new WorkSpaces Streaming Protocol, which we learned about last week, shortly before re:Invent.)

Leaky buckets

Before digging into what IAM Access Analyzer provider customers, let’s look at why AWS released this. AWS leaky buckets have caused the exposure of millions of customers’ personal data this year alone. 

One example is the Attunity leak, which affected companies like Netflix, TD Bank, and Ford. Three AWS S3 buckets were publicly accessible, with one being over five years old and the others created the same week researchers discovered them. Capital One also experienced a breach from a former AWS employee no less, who exploited a misconfiguration to gain access

Part of the issue is AWS adheres to a shared responsibility model, which places customers in charge of their resources run on AWS—Amazon handles just the public cloud. While AWS buckets are private and have limited access by default, one accidental misconfiguration undoes everything. In large deployments, all the layers of permissions and roles and everything can get very complex, so this is something that can happen inadvertently.

This is where the new IAM Access Analyzer comes into play, providing additional protection services that experts (as covered by our TechTarget colleagues at SearchAWS) wanted to see out of re:Invent.

What is IAM Access Analyzer?

The Identity & Access Management Access Analyzer tool examines all the organization’s resource policies around AWS for S3 buckets, AWS KMS keys, SQS queries, IAM roles, and Lambda function. It determines all the different access methods allowed by the various policies so admins can review that the policies ensure only intended buckets have public and cross-account access.

IAM Access Analyzer can create a report of all your AWS resources that are publicly accessible and also includes “service last accessed” data, highlighting what resources users accessed and when. With that information, admins can reduce permissions to only what each user actually needs.

While IAM Access Analyzer reviews the resource policies currently in place, it also provides continuous monitoring, ensuring any new or updated policies don’t accidentally leave a bucket publicly accessible.

IAM Access Analyzer, which includes Access Analyzer for Amazon S3 (which got a separate press release), is now generally available for no additional cost through the IAM console and APis in all commercial AWS regions and AWS GovCloud (U.S.).

Amazon calls IAM Access Analyzer part of their provable security efforts, which involves using automated reasoning technology and mathematics logic.

How did organizations monitor AWS before?

IAM Access Analyzer isn’t the first tool available to help admins and security teams monitor AWS, nor AWS’s first solution, either. There are a multitude of first-party and third-party monitoring tools.

Amazon offers AWS Config, AWS CloudTrail, bucket and access control lists, and Amazon Macie. AWS Config service provides recordings and evaluations of your AWS configurations, which allows admins to assess and audit, as needed. AWS CloudTrail provides monitoring of governance, compliance, operational auditing, and risk auditing. With it, you get visibility into user and resource activity, allowing admin to review who made AWS Management Console actions and API calls. When combined with CloudWatch Events, admins can design a workflow that adds a policy to a bucket, should an API call accidentally make a bucket publicly accessible. A paid, first-party option is Amazon Macie, which examines settings for potential security issues like public settings.

Additionally, admins can use AWS IAM user policies, bucket policies, and access control lists to restrict access to buckets (there's so much available, it's not hard to see why misconfigurations keep happening). If that fails, there’s even the feature called Amazon S3 Block Public Access, which overrides other policies and permissions to whatever the most restrictive policy is.

If you’d prefer to use third-party tools alongside what AWS offers, there’s plenty out there. Some options include S3 Inspector, an open-source command-line tool that looks at AWS permissions. Another monitoring solution is AWS Cloud Monitoring with Splunk Insights.

Wrap up

Again, cloud-based storage services isn’t our usual beat, but it caught my eye as a prime example of how identity and access management is important in security, how analytics can help with IAM problems, and how it helps address an issue that keeps popping up again and again for AWS customers. Additionally, re:Invent is a big show, so this is one announcement that particularly interested me and seemed worth covering.

Dig Deeper on Cloud Provisioning and Cloud Identity Management Issues