Identity and Access Management

Identity and Access Management

Introduction

Time to complete: 25 minutes

Learning Objectives:

  • Configure your IAM policies to prevent unauthorized traffic mirroring of your VPC network.
  • Deploy an AWS Config custom rule to detect traffic mirroring on the VPC.

Exercise

Requirements Scenario

Voyager Security team has provided the controls and technical requirements to ensure that their developers follow least privileges when it comes to manage their VPC network components. The developer team is using the IAM Role DevOps which is now permissive enough to allow them to place a traffic mirror listener in the account without the security team knowing. Even if this traffic is internal, it is considered highly restricted. Your goal as a Cloud Architect will be to configure the right IAM permissions to prevent traffic mirror action and a detective mechanism to alert.

NIST Requirement

Control IDControl Description
AC-4(21)Separate information flows logically or physically using [Assignment: organization-defined mechanisms and/or techniques] to accomplish [Assignment: organization-defined required separations by types of information].
AC-3Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

Customer Requirement

Control IDControl Description
Voyager-ctrl-net-05Developers must be restricted to make changes on VPC resources that could expose the network to unauthorized resources.

AWS resources review and conclusions

By reviewing the following available resources, you will come to conclude what needs to be done to meet Voyager’s control requirements. See below the conclusions.

Resource typeResource nameConclusion
AWS service IAM actionsAmazon VPC actionsYou can use AWS Systems Manager Patch Manager to automate the process of installing security-related updates for both the operating system and applications.
AWS service user guideAWS Config / Managed rulesThere isn’t a managed AWS config rule available to detect traffic mirror so we need to build a custom check.
AWS Service user guideAWS Config / Creating AWS Config custom Lambda rulesYou can develop custom rules and add them to AWS Config with AWS Lambda functions. You associate each custom rule with an Lambda function, which contains the logic that evaluates whether your AWS resources comply with the rule.

Instructions

  1. Open to the IAM Console under the Roles section, search for the DevOps role, and click over the Role Name. (it may have an aleatory suffix)

FCJ_ws2

  1. Expand the Policy clicking on the (+) sign. Click the Edit button.

FCJ_ws2

  1. Select the JSON tab. Modify the policy to remove the ability to create Traffic Mirror sessions under the NotAction policy element. These two actions:
"ec2:CreateTrafficMirrorSession"
"ec2:CreateTrafficMirrorTarget"

Can be simplified into one element using a wildcard like this:

"ec2:CreateTrafficMirror*"
  1. Select Review policy and then save changes.

FCJ_ws2

Now that you have reduced the DevOpsRole privileges, it’s time to create a mechanism to detect if a traffic mirror is enabled. To do it you are going to create a new custom AWS Config rule. We have prepared a CloudFormation template that validates if TrafficMirror Sessions or Targets are in place. This cloudFormation template creates a Config rule that together with a Lambda function and the necessary permissions detects when a Traffic Mirror is in place. (This is an example of how custom controls can be implemented to suit your needs)

  1. Download this CloudFormation template to your disk.

  2. Open the AWS CloudFormation console and click create a new stack.

FCJ_ws2

  1. Select Template is ready and select Upload a template file. Click on Choose a file. Select the file you just downloaded to your disk. Click Next.

FCJ_ws2

  1. Provide the following name to the stack, and click Next.

FCJ_ws2

  1. Leave the stack options as is, and click Next.

FCJ_ws2

  1. Select the check box to acknowledge and press Create stack.

FCJ_ws2

  1. Review the status, click on the refresh button until it has finished successfully.
  2. Go to the AWS Config console and under rules option verify that the new config rule was created.

FCJ_ws2

  1. To test this rule, go to VPC console

  2. On the left under Traffic Mirroring, select Mirror targets.

  3. On the top right, click on Create a new Traffic Mirror target. (Keep in mind that initially we have reduced the privileges of the DevOps role but not yours).

FCJ_ws2

  1. Click on the Target textbox and select any of the EC2 ENI. Click Create.

FCJ_ws2

  1. Go back to the AWS Config console select the rule we created, and click Re-evaluate. Wait a moment and refresh. The rule should change from Compliant status to Noncompliant

FCJ_ws2

Congratulations! You have completed the last exercise.