AWS LPA Usage

Using the AWS LPA feature for InsightCloudSec

After AWS LPA is successfully configured, you should be able to access the Principal Activity (LPA) functionality in two ways:

From the “Resource → Resources” page on your InsightCloudSec platform.

Navigate to the "Identity & Management" tab. The principal activity view can only be accessed on the Cloud User and Cloud Role resources.

Once you've selected the desired resource, click the vertical three dots to open the context menu, then click "Principal Activity". This opens a side pane listing all of the actions taken by the selected user or role.

13811381

Principal Activity

From the "Access Explorer --> Principals" through the context menu "Principal Activity" option.

13821382

Accessing Principal Activity from the Access Explorer Context Menu

Principal Activity Details

The Principal Activity pane contains permissions (or Policy Actions) that have been used within the selected time frame (7, 30, 60, or 90 days). This will provide useful information to support remediation of risk but should be used in conjunction with additional context of the Principal being assessed.

🚧

Considerations Before Editing

Prior to making changes to a policy based on this information we recommend the following:

  • Have the information assessed by a qualified reviewer with knowledge of your specific infrastructure and implementation to avoid unwanted impacts (e.g. loss of required permission)
  • Ensure that you have an existing process to revert or remediate issues prior to making changes

Detailed Permission Usage (JSON)

The Detailed Permission Usage JSON file includes the following information for the given principal:

  • The action name
  • The count or number of times an action was invoked (if at all)
  • The last executed date for the action
  • The name of the AWS permission the action maps to
  • The status of the permission (used, unused, or un-assessed)

This information provided by InsightCloudSec on used, unused, or un-assessed permissions for a given Principal are based on the information available from the relevant Cloud Service Provider (CSP) and the data is accurate based on usage data. The data can be used by a customer to determine which permissions to keep or remove from their policy stack. Used, unused, and un-assessed permissions in the context of this feature and InsightCloudSec are described below.

Note: If you want to programmatically collect this information, review the List Principal Activity and List Principal Permissions endpoints.

Used Permissions
Used Permissions are based on API actions which we have visibility of through the configured data collection (see the AWS LPA Setup documentation).

We map API Actions (as logged through CloudTrail) for User Activity. Due to how AWS has developed this, there isn’t a 1-to-1 mapping of API Action to a Permission (or Policy Action). We provide a mapping of this and return a list of Used Permissions. An example of this is:

API Action

Permission (Policy Action)

Budgets.CreateBudget

budgets:ModifyBudget

Budgets.CreateNotification

budgets:ModifyBudget

Budgets.CreateSubscriber

budgets:ModifyBudget

Budgets.DeleteBudget

budgets:ModifyBudget

Budgets.DeleteNotification

budgets:ModifyBudget

Budgets.DeleteSubscriber

budgets:ModifyBudget

Unused Permissions

We based our calculation of Unused Permissions based on a Principal's permission set (using a portion of Effective Access but without consideration of resource policies at present). From this, we subtract Used and Un-assessed Permissions, with the resulting list being a set of Permissions which are determined to have been unused in the given timeframe. Note: InsightCloudSec does not currently support policy analysis for service-linked roles, so only used permissions will appear in the permission analysis response.

As we require a calculation of Effective Access, the Unused Permissions requires the IAM License to be enabled, and currently only supports AWS. Without the license, we will only return a list of Used and Un-assessed Permissions for a given Principal.

Un-assessed Permissions
When a Permission appears in a Principal's effective access but we are unable to assess it, we will highlight this as an Un-assessed Permission to ensure it’s not confused with an unused permission.

For some services which do log the User Activity, for example to CloudTrail in AWS, there may be other issues in determining usage which is considered. For example, for S3 in AWS, logging can be enabled/disabled at a bucket level. In this scenario, a Principal may be using the Permissions granted but on a S3 bucket that has logging disabled. For this situation if we identify user activity for S3, we will consider it as a Used Permission, but if we don’t identify user activity, we will consider it as an Un-assessed Permission. We are currently exploring options to allow consideration of Unused Permissions.

📘

Service Limitation

There are certain AWS services that InsightCloudSec cannot assess usage for. This may be due to the service not logging via the relevant method (e.g., CloudTrail for AWS), and this is a limitation. We are currently exploring options on how to support these services with alternative approaches.

Access Remediation Policy

The Access Remediation Policy download is an AWS "Deny NotAction" policy JSON file that will assist in remediating the unused and/or un-assessed permissions for a given principal.

This policy will deny ALL permissions, except for those outlined in the NotAction element. Within this element, InsightCloudSec lists all Used and Un-assessed Permissions. If applied, the Principal would continue to have permissions to execute actions for those which they have used in that time period and also those which we have marked as un-assessed. Note: We include the un-assessed permissions, as we have no assessment if they are used or not and do not want to revoke access to potentially used permissions.

For example, you have identified that a given Principal has overly-permissive access based on the analysis done of their historical activity within InsightCloudSec. Based on this activity (along with the user’s business context of the role and associated permissions), you may want to take action to remediate this potential risk and remove access to Unused Permissions. Because the download is a fully qualified policy document, it can be copied into the AWS console or via CLI to that Principal.

Here is an example "Deny NotAction" policy for a user:

{
    "Version": "2022-09-01",
    "Statement": [
        {
            "Sid": "LPADenyUnusedPermissions",
            "Effect": "Deny",
            "NotAction": [
               "ecr:BatchGetImage",
               "ecr:DescribeImages",
               "ecr:GetAuthorizationToken",
               "ecr:DescribeRepositories"
            ],
            "Resource": ["*"]
        }
    ]
}

The above policy is based on the following Detailed Permission Usage output for the same user:

{
  "end": "2022-08-31",
  "page": 1,
  "permissions": [
    {
      "action": "ecr.BatchGetImage",
      "count": 861,
      "last_executed_date": "2022-08-31T03:25:52",
      "permission": "ecr:batchgetimage",
      "status": "Used"
    },
    {
      "action": "ecr.DescribeImages",
      "count": 791,
      "last_executed_date": "2022-08-31T03:25:51",
      "permission": "ecr:describeimages",
      "status": "Used"
    },
    {
      "action": "ecr.DescribeRepositories",
      "count": 65,
      "last_executed_date": "2022-08-31T03:05:38",
      "permission": "ecr:describerepositories",
      "status": "Used"
    },
    {
      "action": "ecr.GetAuthorizationToken",
      "count": 857,
      "last_executed_date": "2022-08-31T03:25:51",
      "permission": "ecr:getauthorizationtoken",
      "status": "Used"
    },
    {
      "permission": "ecr:batchchecklayeravailability",
      "status": "Unused"
    },
    {
      "permission": "ecr:describeregistry",
      "status": "Unused"
    },
    {
      "permission": "ecr:getdownloadurlforlayer",
      "status": "Unused"
    },
    {
      "permission": "ecr:listimages",
      "status": "Unused"
    }
  ],
  "principal": {
    "name": "sample-principal",
    "resource_id": "serviceuser:123456:AIDA12ABCDEF1ABCDEF1A:",
    "resource_type": "serviceuser"
  },
  "start": "2022-06-02",
  "total_pages": 1,
  "warnings": {}
}

Did this page help you?