Infrastructure engineers often find themselves in situations where they create over-permissive IAM policies to get their jobs done and because writing least-privilege IAM policies is unnecessarily complex. However, in the case of a breach, it is critical to limit the blast radius of compromised credentials by only giving IAM principals access to what they need. Policy Sentry - open-sourced in 2019 by Salesforce - writes least-privilege IAM policies with resource constraints in a matter of seconds, rather than tediously writing insecure IAM policies by hand. These policies are scoped down according to access levels and resource ARNs. In the case of a breach, this helps to limit the blast radius of compromised credentials by only giving IAM principals access to what they need. Before this tool, it could take hours to craft an IAM Policy with resource ARN constraints — but now it can take a matter of seconds. This way, developers only have to determine the access levels and resources that they need to access, and Policy Sentry abstracts the complexity of IAM policies away from their development processes. In this talk, you’ll learn how to use Policy Sentry. You will leave with practical knowledge about how to uplift and automate IAM security for your entire organization.

1. Limiting Blast Radius
Automating AWS IAM using Policy Sentry
@kmcquade3
Kinnaird McQuade, Lead Cloud Security Engineer

2. Kinnaird McQuade
Lead Cloud Security Engineer
Twitter: @kmcquade3
* Hacker, Builder, dog lover

3. ● Motivation
● Bad IAM Policies
● Secure IAM Policies
● How Policy Sentry solves these Problems
● Demo
Agenda

4. ● AWS IAM is difficult to manage,
especially at scale
● User roles generally undergo more
scrutiny than machine roles (EC2
instance profiles)
● Developers typically define IAM
policies for machine roles
Motivation
● Machine roles are rich targets for
attackers
● In the case of a breach, restricting
IAM on machine roles helps to limit
the blast radius of those credentials
by only giving access to what they
need.

5. Resource Constraints
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
}]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::example"
}]
}
Insecure: Wildcard resources More secure: Resource Constraints

6. {
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::example/*"
]}]
}
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::example/*"
]
}]
}
Access Levels
Insecure: All Access Levels More secure: Specific Access Levels

7. AWS
Managed
Policies
Eyeball it
Actions: "*"
Resources:
"*"

8. How do we automate our way out of the
problem?

9. ● Open Source CLI tool
● Creates Least Privilege IAM policies in seconds
● Scopes policies down to:
○ Access levels
○ Resource ARNs
● Uses simple YAML templates to generate policies
Generate Least-Privilege IAM Policies in seconds
Policy Sentry

10. Policy Sentry Templates
mode: crud
read:
-'arn:aws:s3:::example/*'
write:
-'arn:aws:s3:::example/*'

11. ● “I need Read and Write access to
the objects in the S3 bucket called
mybucket”
● “I need Tagging access to the
secret titled mysecret in us-east-1”
Policy Sentry
mode: crud
read:
-'arn:aws:s3:::mybucket/*'
write:
-'arn:aws:s3:::mybucket/*'
mode: crud
tagging:
-'arn:aws:secretsmanager:u
s-east-1:123456789012:secr
et:mysecret'

12. Writing Policies - Three easy steps
1. Generate the YAML template
policy_sentry create-template
--output-file demo.yml
--template-type crud
2. Copy and paste ARNs
3. Run the write-policy command
policy_sentry write-policy
--input-file demo.yml
mode: crud
read:
-'arn:aws:s3:::mybucket/*'
write:
-'arn:aws:s3:::mybucket/*'

13. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "SsmReadParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource":
"arn:aws:ssm:us-east-1:123456789012:pa
rameter/myparameter"
}]
}

14. Demo time!
https://github.com/salesforce/policy_sentry/

15. How Policy Sentry Works
Leveraging the AWS Documentation on Actions, Resources, and Condition Keys
Actions
Access
Level
Resource Type
ssm:DescribeParameters List *
ssm:DescribeDocument Read document
ssm:GetParameter Read parameter
ssm:GetParametersByPath Read parameter
ssm:PutParameter Write parameter
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html

16. How Policy Sentry Works
Leveraging the AWS Documentation on Actions, Resources, and Condition Keys
Actions
Access
Level
Resource Type
ssm:DescribeParameters List *
ssm:DescribeDocument Read document
ssm:GetParameter Read parameter
ssm:GetParametersByPath Read parameter
ssm:PutParameter Write parameter
Policy Sentry
auto-selects the
proper Access Levels
and Resource Types
to determine the
necessary actions,
based on user input.
Source: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html

17. {
"Version": "2012-10-17",
"Statement": [{
"Sid": "SsmReadParameter",
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameterHistory",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource":
"arn:aws:ssm:us-east-1:123456789012:parame
ter/myparameter"
}]}
mode: crud
read:
-'arn:aws:ssm:us-east-1:12345678
9012:parameter/myparameter'
Input: Output:

18. ● Process:
1. Generate the Template file
2. Copy/paste ARNs
3. Run command to write the policy
● Policy Sentry…
○ Speeds up time to develop IAM
policies
○ Abstracts the complexity of IAM
○ Auditable, repeatable, store in version
control
○ You don’t need to be an IAM expert to
use it
○ Developer friendly - just paste into
YAML!
Recap
https://github.com/salesforce/policy_sentry/

19. ● DevOps Engineers
● Director/Senior Manager for IAM
● Infrastructure Security Engineers
● Threat/Vulnerability Management
● Penetration Testing
● Security Architects
● ...much more
● DM me on Twitter or the Cloud
Security Forum Slack if you are
interested
○ https://twitter.com/kmcquade3
PS: We’re hiring!
https://github.com/salesforce/policy_sentry/

21. Questions?
https://github.com/salesforce/policy_sentry/