Least privilege AWS IAM policy for cloudformation

Question

For small CloudFormation and CodePipeline templates we could "try - test" to get least privilege IAM Policy for the roles required.

This usually involves:

• Starting with a minimal policy
• Creating the stack
• It fails with - stack doesn't have rights to someService:someAction
• Add the service action to the policy
• update stack and try again

This approach is too time consuming for larger CloudFormation Templates.
How are you developing Least Privilege IAM Policies?

Ideas:

• Allow "*" and then scrape cloudtrail for events and build map for listed events to their equivalent roles - then reduce the roles to only those listed in the cloudtrail logs.

  • If you can isolate actions down to a user name this helps

  • https://github.com/byu-oit-appdev/aws-cloudwatch-parse

• Access Advisor

Answer 1

Grant least privilege is a well-documented IAM Best Practice. The documentation recommends incrementally adding specific permissions, using the Access Advisor tab to determine which services are actually being used by an application (presumably using a broader set of permissions during the testing phase):

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.

One feature that can help with this is the Access Advisor tab, which is available on the IAM console Summary page whenever you inspect a user, group, role, or policy. This tab includes information about which services are actually used by a user, group, role, or by anyone using a policy. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. For more information, see Service Last Accessed Data.

This approach is similar to scraping CloudTrail for API events generated by a specific IAM Role/application, though the latter might be more difficult to filter through the entire event stream in order to find the relevant events, while the Access Advisor list is already filtered for you.