Knowing who is accessing a system (authentication) and what they can do (authorization) is critical to building well in the AWS Cloud.
But how do you know it’s all working properly?
Who Did What?
Almost every action taken in an AWS account is recorded by a service called AWS CloudTrail. This service is “is enabled on all AWS accounts and records your account activity upon account creation”. It will automatically track 90 days worth of events, more if you change the configuration.
For every event, CloudTrail records the user identity data associated with the call. This is a validated method of checking who did what in your account. Here’s what that looks like;
Highlighted in yellow are both the common username and the full ARN or Amazon Resource Name of that user. If a resource make this TerminateInstances call, the information would be slightly different but the ARN would still be present allowing identifying who made this API call.
AWS CloudTrail provides a simple search interface in the management console (a/k/a the website), the AWS CLI, and the AWS CloudTrail API. Making things all that much easier, the service also stores all of the logs in JSON files compressed in an S3 bucket in your account.
This data is critical to figure out who did what, when in your account.
Who Could Do What?
A slightly different and more proactive question to ask is what have you allowed someone (or something) to do in the account.
While the AWS IAM system of granting permissions is very straight forward. It’s still possible to make a simple mistake or overlook one policy and grant too many permissions.
This talk by Becky Weiss, Senior Principal Engineer at AWS, “Getting started with AWS identity services” from AWS re:Invent 2020, is an excellent introduction or refresher on how AWS IAM works:
If you’re ever tried to map out permissions from multiple policy assignments, you may already be shaking your head. This is not an easy problem to solve.
Thankfully, you don’t have to.
- Create an analyzer
- Look at the results
- Fix things!
Behind the scenes, IAM Access Analyzer uses a very cool mathematical and logic modelling approach called, “automated reasoning”. This formal verification method ensures that you’re getting access results. If you want to learn more about that side of the tool, check out AWS’ information on its provable security initiative.
The great news? You get these results and can take action without knowing anything about what’s going on behind the scenes.
IAM Access Analyzer presents a series of findings for you. These findings are very straight forward showing different access levels that might be of concern. Essentially saying, “Hey X can access Y, that might be weird”.
The tool then prompts you to answer whether or not that access was intended.
It’s a really simple approach to a tricky problem.
Authentication and authorization are easy concepts to understand but their implementation can quickly grow complicated. AWS CloudTrail and AWS IAM Access Analyzer are simple tools available to every AWS user to help ensure that they’ve set things up as intended.
AWS CloudTrail will automatically keep that audit trail telling you who did what, when. While AWS IAM Access Analzyer can help you determine who could access what, so you can fix mistakes and oversights before bad things happen.
What’s your experience been with these tools? Are you finding it easy to review authentication and authorization in your solutions? Let’s talk about it in the community!