Is AWS IAM Working? Here’s How to Check

Knowing who is accessing a system (authentication) and what they can do (authorization) is critical to building well in the AWS Cloud.

You’ve setup authentication using a tool like Amazon Cognito and you’re making smart choices granting permissions—using the principle of least privilege—with AWS Identity and Access Management (IAM).

But how do you know it’s all working properly?

Who Did What?

Almost every action taken in an AWS account is recorded by a service called AWS CloudTrail. This service is “is enabled on all AWS accounts and records your account activity upon account creation”. It will automatically track 90 days worth of events, more if you change the configuration.

This acts as an audit trail.

For every event, CloudTrail records the user identity data associated with the call. This is a validated method of checking who did what in your account. Here’s what that looks like;

Highlighted in yellow are both the common username and the full ARN or Amazon Resource Name of that user. If a resource make this TerminateInstances call, the information would be slightly different but the ARN would still be present allowing identifying who made this API call.

AWS CloudTrail provides a simple search interface in the management console (a/k/a the website), the AWS CLI, and the AWS CloudTrail API. Making things all that much easier, the service also stores all of the logs in JSON files compressed in an S3 bucket in your account.

This data is critical to figure out who did what, when in your account.

Who Could Do What?

A slightly different and more proactive question to ask is what have you allowed someone (or something) to do in the account.

While the AWS IAM system of granting permissions is very straight forward. It’s still possible to make a simple mistake or overlook one policy and grant too many permissions.

This talk by Becky Weiss, Senior Principal Engineer at AWS, “Getting started with AWS identity services” from AWS re:Invent 2020, is an excellent introduction or refresher on how AWS IAM works:

If you’re ever tried to map out permissions from multiple policy assignments, you may already be shaking your head. This is not an easy problem to solve.

Thankfully, you don’t have to.

AWS provides a fantastic tool to solve this exact problem, the AWS IAM Access Analyzer. This tool reduces this complicated process down to three steps;

  1. Create an analyzer
  2. Look at the results
  3. Fix things!

Behind the scenes, IAM Access Analyzer uses a very cool mathematical and logic modelling approach called, “automated reasoning”. This formal verification method ensures that you’re getting access results. If you want to learn more about that side of the tool, check out AWS’ information on its provable security initiative.

The great news? You get these results and can take action without knowing anything about what’s going on behind the scenes.

IAM Access Analyzer presents a series of findings for you. These findings are very straight forward showing different access levels that might be of concern. Essentially saying, “Hey X can access Y, that might be weird”.

The tool then prompts you to answer whether or not that access was intended.

It’s a really simple approach to a tricky problem.

Next Steps

Authentication and authorization are easy concepts to understand but their implementation can quickly grow complicated. AWS CloudTrail and AWS IAM Access Analyzer are simple tools available to every AWS user to help ensure that they’ve set things up as intended.

AWS CloudTrail will automatically keep that audit trail telling you who did what, when. While AWS IAM Access Analzyer can help you determine who could access what, so you can fix mistakes and oversights before bad things happen.

What’s your experience been with these tools? Are you finding it easy to review authentication and authorization in your solutions? Let’s talk about it in the community!

Join the Community

We’re building a community for people serious about succeeding in the cloud.

JOIN NOW

Welcome to SkycraftersTM!

We’re a community for those who want to grow their skills, build their career, and innovate by learning and sharing best practices for secure and scalable cloud operations.

Join the Community