DEV Community

Kerisnarendra
Kerisnarendra

Posted on • Edited on

Securing Our AWS Environment: Preventing Privilege Escalation with Permission Boundaries

Introduction

In the world of AWS, security is incredibly important. To keep things secure, it's important to make sure that users and roles only have the access they need to do their jobs. But sometimes, users or roles end up with more access than they should have, which can be dangerous. That's where privilege escalation comes in.

Privilege escalation is when someone gains access to more resources or permissions than they're supposed to have. This can happen if there's a security vulnerability that lets someone exploit the system. If someone manages to escalate their privileges, they can access things they shouldn't be able to, and that can be really bad for a company.

In this blog post, I am going to remind myself how to prevent privilege escalation using a permission boundary in AWS IAM.

Prerequisites

Before we begin, make sure we have the following:

  • An AWS account with IAM access
  • Basic knowledge of AWS IAM and policies
  • The permission boundary JSON file below
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "DenyPermBoundaryIAMPolicyAlteration",
            "Effect": "Deny",
            "Action": [
                "iam:DeletePolicy",
                "iam:DeletePolicyVersion",
                "iam:CreatePolicyVersion",
                "iam:SetDefaultPolicyVersion"
            ],
            "Resource": [
                "arn:aws:iam::Account_ID:policy/PermissionPolicy"
            ]
        },
        {
            "Sid": "DenyRemovalOfPermBoundaryFromAnyUserOrRole",
            "Effect": "Deny",
            "Action": [
                "iam:DeleteUserPermissionsBoundary",
                "iam:DeleteRolePermissionsBoundary"
            ],
            "Resource": [
                "arn:aws:iam::Account_ID:user/*",
                "arn:aws:iam::Account_ID:role/*"
            ],
            "Condition": {
                "StringEquals": {
                    "iam:PermissionsBoundary": [
                        "arn:aws:iam::Account_ID:poliy/PermissionBoundary"
                    ]
                }
            }
        },
        {
            "Sid": "DenyUserAndRoleCreationWithoutPermBoundary",
            "Effect": "Deny",
            "Action": [
                "iam:CreateUser",
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::Account_ID:role/*",
                "arn:aws:iam::Account_ID:user/*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "iam:PermissionsBoundary": [
                        "arn:aws:iam::Account_ID:policy/PermissionBoundary"
                    ]
                }
            }
        }
    ]
}
Enter fullscreen mode Exit fullscreen mode

Step-by-Step Guide

  1. Create an IAM policy that allows users and roles to perform their intended actions, but also includes a permission boundary to limit their privileges. This policy should be applied to the users and roles in our AWS account.
    Note: We have already been provided with a sample permission boundary JSON file. We can use this as a starting point for our own permission boundary policy.

  2. Create an IAM policy that denies the creation of new users and roles without a permission boundary. This policy should be applied to all users and roles in our AWS account.

  3. Create an IAM policy that denies the removal of permission boundaries from any user or role. This policy should be applied to all users and roles in our AWS account.

  4. Create an IAM policy that denies the alteration of the permission boundary policy. This policy should be applied to the permission boundary policy in our AWS account.

  5. Once the policies have been created, apply them to the appropriate users and roles in our AWS account.

  6. Test the policies by attempting to create a user or role without a permission boundary. The policy should deny the creation and provide an error message.

  7. Test the policies by attempting to remove the permission boundary from a user or role. The policy should deny the removal and provide an error message.

  8. Test the policies by attempting to alter the permission boundary policy. The policy should deny the alteration and provide an error message.

FAQ

Q: What is a permission boundary in AWS IAM?
A: A permission boundary is an advanced feature in AWS IAM that allows us to set the maximum permissions for a user or role. It limits what actions a user or role can perform on AWS resources.

Q: Why is a permission boundary important?
A: A permission boundary is important because it can help prevent privilege escalation. By setting a maximum level of permissions, we can ensure that users and roles only have the access they need to perform their intended actions.

Q: How do I know if I am vulnerable to privilege escalation?
A: We can assess our AWS environment for privilege escalation vulnerabilities using tools like AWS IAM Access Analyzer.

Conclusion

Privilege escalation can be a serious security issue in an AWS environment. By using a permission boundary, we can help prevent this issue from occurring. In this blog post, we went through the steps needed to handle privilege escalation using a permission boundary in AWS IAM. It is important to regularly review and update our IAM policies to ensure that they are up-to-date and providing the appropriate level of access to users and roles in our AWS account.

Top comments (0)