AWS Identity and Access Management (IAM) is a crucial component of AWS, enabling users to create IAM policies and service control policies (SCPs) that set access levels for specific AWS services and resources. These policies can be attached to IAM principals (users and roles), user groups, or AWS resources. While IAM provides fine-grained control, it also imposes the responsibility of ensuring proper usage, consistently aiming for least privilege access. To aid users, IAM tutorials are available, and the IAM Access Analyzer helps identify resources shared with external entities. Recently, we have introduced an update to IAM Access Analyzer, allowing you to validate access to your S3 buckets before implementing permission changes.
New Policy Validation
I am excited to announce the introduction of policy validation within IAM Access Analyzer. This robust feature is designed to assist users in crafting IAM policies and SCPs that align with established AWS best practices.
Targeted at developers and security teams, validation occurs prior to attaching policies to IAM principals. Over 100 checks are conducted, each aimed at enhancing security posture and simplifying policy management at scale. The results of these checks provide detailed insights and actionable recommendations.
Validation can be accessed via the JSON Policy Editor in the IAM Console, the command line (aws accessanalyzer validate-policy), and your own code (ValidatePolicy). Programmatic validation can be seamlessly integrated into your CI/CD workflows using the CLI and API options.
In the IAM Console, policy validation is conducted in real-time whenever a customer-managed policy is created or modified. Findings are categorized by severity, with examples including:
- Security – Identifies overly permissive policy elements that could pose security risks, such as the use of
iam:PassRolewithNotResourceor the wildcard “*” as a resource. - Error – Flags elements that prevent the policy from functioning correctly, including syntax errors, missing actions, and invalid constructs.
- Warning – Highlights elements that deviate from AWS best practices, like references to deprecated global condition keys or invalid users.
- Suggestion – Points out elements that are missing, empty, or redundant.
Key Details
As mentioned, we are launching with over 100 checks, with plans to expand this list over time. Feedback is always welcome. In keeping with our commitment to excellence, we regularly validate the Amazon-managed IAM policies and make adjustments as necessary. Occasionally, we mark existing managed policies as deprecated, notifying customers via email and providing updated replacements. For more information on our process, visit Deprecated AWS Managed Policies.
Though there are several open-source policy linters for AWS, such as the well-known Parliament from Duo Labs, our customers expressed a desire for an AWS-native validation feature that operates in real-time during policy editing. Responding to this feedback, a dedicated team on the IAM side developed this policy validation feature from the ground up.
This new feature is currently available across all AWS regions at no cost. For additional insights on IAM and AWS policies, check out this related blog post here and refer to the authority on the subject at this link. Also, for those looking to expand their knowledge, this training resource is highly recommended.
— Marcus
Leave a Reply