Skip to main content

AWS Access Undenied by Ermetic - parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable fixes.

Reason this release was yanked:

Renaming project

Project description

Access Undenied

Access Undenied parses AWS AccessDenied CloudTrail events, explains the reasons for them, and offers actionable fixes.

Twitter

Gif demonstrating an example of using AccessUndenied

Overview

Access Undenied analyzes AWS CloudTrail AccessDenied events, scans the environment to identify and explain the reasons for them, and offers actionable least-privilege remediation suggestions.

Common use cases

Sometimes, the new and more detailed AccessDenied messages provided by AWS will be sufficient. However, that is not always the case.

  1. Some AccessDenied messages do not provide details. Among the services with (many or exclusively) undetailed messages are: S3, SSO, EFS, EKS, GuardDuty, Batch, SQS, and many more.
  2. When the reason for AccessDenied is an explicit deny, it can be difficult to track down and evaluate every relevant policy.
  3. Specifically when the reason is an explicit deny in a service control policy (SCP), one has to find and every single policy in the organization that applies to the account.
  4. When the problem is a missing Allow statement, AccessUndenied automatically offers a least-privilege policy based on the CloudTrail event.

Simple Startup

Install AccessUndenied

pip install aws-access-undenied

Analyze a CloudTrail event file.

aws-access-undenied --file event_history.json

Installation

Installation from pip

python -m pip install aws-access-undenied 

Installation from source code (development)

To install from source code, you can set up a venv (optionally), and within that venv

python -m pip install --editable .

Usage

Getting events

Access Undenied works by analyzing a CloudTrail event where access was denied and the error code is either AccessDenied or Client.UnauthorizedOperation, it works on an input of one or more CloudTrail events. You can get them from wherever you get events, they can be found in the event history in the console, or by the LookupEvents API, or through whatever system you use in order to filter and detect events: Athena, Splunk, others. You can either download the records file (the default format for multiple events) or just copy and paste a single event. For an example of how to do this: Getting Cloudtrail events from the AWS Console's event history

Permissions

Access Undenied runs with the default permissions of the environment running the cli command, and accepts the --profile flag for using a different profile from .aws/credentials. The role running aws-access-undenied should have at be granted these permissions:

  1. Attach the SecurityAudit managed policy
  2. Attach this inline policy: AccessUndeniedAssumeRole
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AccessUndenied-AssumeRole",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": [
        "arn:aws:iam::<management_account_id>:role/AccessUndeniedRole",
        "arn:aws:iam::<account_1_id>:role/AccessUndeniedRole",
        "arn:aws:iam::<account_2_id>:role/AccessUndeniedRole",
        "..."
      ]
    }
  ]
}

If you do not wish to attach SecurityAudit, you may instead attach the updating least-privilege AccessUndenied policy

Same account assets only, no SCPs

When both the resource and the principal are in the same account as the credentials used to run AccessUndenied and Service Control Policies (SCPs) do not need to be considered, it is sufficient to just run AccessUndenied with default credentials or a profile, and you do not need to set up any additional profiles.

Cross-account assets and SCPs

To consider assets in multiple accounts and/or SCPs in the management account, we need to set up AWS cross-account roles with the same policy and the same name as each other (the default is AccessUndeniedRole)

when setting up these roles, remember to set up the appropriate trust policy (trusting the credentials in the source account, the one you're running AccessUndenied in):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<source_account>:role/AccessUndeniedRole"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Create an identity policy (inline or managed) with the following permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "kms:GetKeyPolicy",
        "organizations:DescribeOrganization",
        "s3:GetBucketPolicy",
        "secretsmanager:GetResourcePolicy",
        "sts:DecodeAuthorizationMessage"
      ],
      "Resource": "*"
    }
  ]
}

CLI Commands

Simplest command

aws-access-undenied analyze --events-file cloudtrail_events.json

All options:

Options:
  -v, --verbosity LVL  Either CRITICAL, ERROR, WARNING, INFO or DEBUG
  --profile TEXT       the AWS profile to use (default is default profile)
  --help               Show this message and exit.

Commands:
  analyze   Analyzes AWS CloudTrail events and explains the reasons for...
  get-scps  Writes the organization's SCPs and organizational tree to a file

Analyze

This command is used to analyze AccessDenied events. It can be used either with the management-account-role-arn parameter to retrieve SCPs, or with the scp-file parameter to use a policy data file created by the get_scps command.

Options:
  --events-file FILENAME          input file of CloudTrail events  [required]
  --scp-file TEXT                 Service control policy data file generated
                                  by the get_scps command.
  --management-account-role-arn TEXT
                                  a cross-account role in the management
                                  account of the organization, which must be
                                  assumable by your credentials.
  --cross-account-role-name TEXT  The name of the cross-account role for
                                  AccessUndenied to assume. default:
                                  AccessUndeniedRole
  --output-file TEXT              output file for results (default: no output
                                  to file)
  --suppress-output / --no-suppress-output
                                  should output to stdout be suppressed
                                  (default: not suppressed)
  --help                          Show this message and exit.

Example:

aws-access-undenied analyze --events-file events_file.json

Get SCPs

This command is used to writes the organization's SCPs and organizational tree to an organizational policy data file. This command should be run from the management account.

Options:
  --output-file TEXT  output file for scp data (default: scp_data.json)
  --help              Show this message and exit.

Example:

aws-access-undenied get-scps

Then when running analyzing (from the same account or a different account)

aws-access-undenied analyze --events-file events_file.json --scp-file scp_data.json

Output Format

{
  "EventId": "55555555-12ad-4f70-9140-d44428038119",
  "AssessmentResult": "Missing allow in an identity-based policy",
  "ResultDetails": {
    "PoliciesToAdd": [
      {
        "AttachmentTargetArn": "arn:aws:iam::123456789012:role/MyRole",
        "Policy": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Effect": "Allow",
              "Action": "rds:DescribeDBInstances",
              "Resource": "arn:aws:rds:ap-northeast-3:120252999260:db:*"
            }
          ]
        }
      }
    ]
  }
}

This output for example, tells us that access was denied because of there is no Allow statement in an identity-based policy. To remediate, we should attach to the IAM role arn:aws:iam::123456789012:role/MyRole the policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "rds:DescribeDBInstances",
      "Resource": "arn:aws:rds:ap-northeast-3:120252999260:db:*"
    }
  ]
}

Output Fields

AccessDeniedReason:

The reason why access was denied. Possible Values

Missing allow in:

  • Identity policy
  • Resource policy (in cross-account access)
  • Both (in cases of cross-account access)
  • Permissions boundary
  • Service control policy (with allow-list SCP strategy)

Explicit deny from:

  • Identity policy
  • Resource policy
  • Permissions boundary
  • Service control policy

Invalid action:

  • a principal or action that cannot be simulated by access undenied.

"Allowed" An "Allowed" result means that access undenied couldn't find the reason for AccessDenied, this could be for a variety of reasons:

  • Policies, resources and/or identities have changed since the CloudTrail event and access now actually allowed
  • Unsupported resource policy type
  • Unsupported policy type (VPC endpoint policy, session policy, etc.)
  • Unsupported condition key

ResultDetails

These are the details of the result, explaining the remediation steps, this section may contain either PoliciesToAdd or ExplicitDenyPolicies.

PoliciesToAdd

These are the policies which need to be added to enable least-privilege access. Each policy contains:

  • AttachmentTargetArn: the entity to which the new policy should be attached
  • Policy: The content of the policy to be added
ExplicitDenyPolicies

These are the policies cause explicit deny, which need to be removed or modified to facilitate access. AccessUndenied also gives the specific statement causing the Deny outcome.

  • AttachmentTargetArn: the entity to which the policy causing explicit deny is currently attached
  • PolicyArn: The arn (if applicable) of the policy causing explicit deny. For the sake of convenience, resource policies are represented by generic placeholder arns such as: arn:aws:s3:::my-bucket/S3BucketPolicy
  • PolicyName: The policy name, if applicable. Resource policies are represented by generic placeholder names such as S3BucketPolicy
  • PolicyStatement: The specific statement in the aforementioned policy causing explicit deny

Acknowledgements

This project makes use of Ian Mckay's iam-dataset Ben Kehoe's aws-error-utils.

Appendices

Setting up a venv

python -m venv .venv
Platform Shell Command to activate virtual environment
POSIX bash/zsh $ source .venv/bin/activate
fish $ source .venv/bin/activate.fish
csh/tcsh $ source .venv/bin/activate.csh
PowerShell Core $ .venv/bin/Activate.ps1
Windows cmd.exe C:> .venv\Scripts\activate.bat
PowerShell PS C:> .venv\Scripts\Activate.ps1

Getting Cloudtrail events from the AWS Console's event history

  1. Open the AWS console
  2. Go to "CloudTrail"
  3. In the sidebar on the left, click Event History
  4. Find the event you're interested in checking. Unfortunately, the console doesn't let you filter by ErrorCode, so you'll have to filter some other way, e.g. by username or event name.
  5. Download the event:
    1. By clicking the event, copying the event record, and pasting it to a json file locally. or,
    2. By clicking download events -> download as JSON in the top-right corner. (Access Undenied will handle all events where the ErrorCode is AccessDenied or Client.UnauthorizedOperation)

With the event saved locally, you may use the cli command

Example Cloudtrail event

One event in file:

{
  "awsRegion": "us-east-2",
  "eventID": "5ac7912b-fd5d-436a-b60c-8a4ec1f61cdc",
  "eventName": "ListFunctions20150331",
  "eventSource": "lambda.amazonaws.com",
  "eventTime": "2021-09-09T14:01:22Z",
  "eventType": "AwsApiCall",
  "userIdentity": {
    "accessKeyId": "ASIARXXXXXXXXXXXXXXXX",
    "accountId": "123456789012",
    "arn": "arn:aws:sts::123456789012:assumed-role/RscScpDisallow/1631196079303620000",
    "principalId": "AROARXXXXXXXXXXXXXXXX:1631196079303620000",
    "sessionContext": {
      "attributes": {
        "creationDate": "2021-09-09T14:01:20Z",
        "mfaAuthenticated": "false"
      },
      "sessionIssuer": {
        "accountId": "123456789012",
        "arn": "arn:aws:iam::123456789012:role/RscScpDisallow",
        "principalId": "AROARXXXXXXXXXXXXXXXX",
        "type": "Role",
        "userName": "RscScpDisallow"
      },
      "webIdFederationData": {}
    },
    "type": "AssumedRole"
  },
  "errorCode": "AccessDenied",
  "errorMessage": "User: arn:aws:sts::123456789012:assumed-role/RscScpDisallow/1631196079303620000 is not authorized to perform: lambda:ListFunctions on resource: * with an explicit deny",
  "sourceIPAddress": "xxx.xxx.xxx.xxx",
  "readOnly": true,
  "eventVersion": "1.08",
  "userAgent": "aws-cli/2.2.16 Python/3.8.8 Linux/4.19.128-microsoft-standard exe/x86_64.ubuntu.20 prompt/off command/lambda.list-functions",
  "requestID": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxx",
  "managementEvent": true,
  "recipientAccountId": "123456789012",
  "eventCategory": "Management"
}

Multiple events in file:

{
  "Records": [
    {
      "awsRegion": "us-east-1",
      "eventID": "xxxxxxxx-xxxx-xxxx-xxxx-8234c1555c12"
      //... rest of cloudtrail_event ...
    },
    {
      //... another cloudtrail_event ...
    }
    // more events...
  ]
}

Least privilege AccessUndenied policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AccessUndeniedLeastPrivilegePolicy",
      "Effect": "Allow",
      "Action": [
        "iam:Get*",
        "iam:List*",
        "iam:SimulateCustomPolicy",
        "kms:GetKeyPolicy",
        "organizations:DescribeOrganization",
        "s3:GetBucketPolicy",
        "secretsmanager:GetResourcePolicy",
        "sts:DecodeAuthorizationMessage"
      ],
      "Resource": "*"
    }
  ]
}

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

aws-access-undenied-0.1.0.tar.gz (223.1 kB view details)

Uploaded Source

Built Distribution

aws_access_undenied-0.1.0-py3-none-any.whl (230.4 kB view details)

Uploaded Python 3

File details

Details for the file aws-access-undenied-0.1.0.tar.gz.

File metadata

  • Download URL: aws-access-undenied-0.1.0.tar.gz
  • Upload date:
  • Size: 223.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.63.0 importlib-metadata/4.11.2 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.10.2

File hashes

Hashes for aws-access-undenied-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0a96629e04bfb9801c0cb1dc7d9adbd00cf7d208564ed93706aabf607377b0e5
MD5 0bd9a20fae57be6a9da775a885ea1c3b
BLAKE2b-256 a0de7dcb972d5dfe64d456621b6426c5ecda67a6251131ea084869790a962c9f

See more details on using hashes here.

File details

Details for the file aws_access_undenied-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: aws_access_undenied-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 230.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.63.0 importlib-metadata/4.11.2 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.10.2

File hashes

Hashes for aws_access_undenied-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 54990935de79cf869c5d8b8df918c3ced177aeb1989f41d66939d022209770ce
MD5 5ff9e938b0a9843b02aea8eaf3c93ec5
BLAKE2b-256 817cc592474a31b6eaf65572ea4ab32b658480b8b0e04da165a05b1f74cda334

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page