In the AWS ecosystem, each service necessitates explicit access to resources, endpoints, and objects that may belong to other services; this is known as the permission boundary. Services like AWS Config, Amazon Macie, and AWS GuardDuty require an AWS Identity and Access Management (IAM) role that allows access to resources beyond their direct control. It’s vital to comprehend the permissions that an IAM role provides (or restricts) to other entities within your AWS environment to maintain security and operational integrity.
For many users, establishing a service-linked role with the default permissions suffices. Generally, a service-linked role is created upon the initial setup of that service. However, organizations in heavily regulated sectors, such as finance or law enforcement, often have stricter permission requirements applied to their resources. In certain scenarios, a user may have configured resources in their account that are inaccessible due to these service-linked roles, which can disrupt the normal functioning of those services. A method to identify these misconfigurations—whether intentional or accidental—can be invaluable for organizations with stringent security needs.
In this post, I will guide you through identifying resources that are not accessible by service-linked roles and establishing a proactive alert system for administrators when these issues are detected. For a comprehensive list of AWS services that utilize service-linked roles, refer to AWS services that work with IAM in the AWS Identity and Access Management User Guide.
Solution Overview
When an AWS service employing a service-linked role attempts to access resources from another service (for instance, Amazon Simple Storage Service (Amazon S3) buckets or Amazon Elastic Compute Cloud (Amazon EC2) instances), these attempts are logged in AWS CloudTrail. The log entries detail the Amazon Resource Name (ARN) of the calling role, the attempted action, and any error codes that may have been generated.
CloudTrail can stream its log data into Amazon CloudWatch Logs, and once ingested, these logs can be transformed into a metric using a metric filter. With this metric established, you can manage events captured by CloudWatch Logs just like any other metric. You can also implement CloudWatch alarms to notify administrators if these services encounter access issues. Furthermore, this methodology can extend to executing AWS Lambda functions or implementing more complex remediation actions. For further insights, check out this excellent resource on onboarding at scale.
Prerequisite: CloudTrail Setup
To begin, you must set up a CloudTrail trail that delivers data to a CloudWatch log group. To verify if a trail exists in your environment:
- Navigate to the AWS CloudTrail console and select Trails.
- If there are no trails, follow the outlined steps to create one. If a trail exists, proceed to configure it to deliver to CloudWatch Logs.
Creating a Trail
To set up a new trail:
- In the AWS CloudTrail console, select Create Trail.
- Under CloudWatch Logs, ensure Enabled is selected.
- For Log group name, use the default option.
- Under IAM role, provide a name, then proceed to the next step.
After configuring your trail, you can check if CloudWatch Logs delivery is enabled by going back to the CloudTrail console.
Step 1: Create the Metric Filter
Now, let’s create a metric filter that counts each failed request made by an AWS service utilizing a service-linked role.
- In the CloudWatch console, choose Log groups.
- Open the log group that corresponds with your CloudTrail configuration.
- Select Metric filters, then choose Create metric filter.
For the Filter pattern, enter the following:
{ $.eventName = Get* && $.errorCode = AccessDenied && $.userIdentity.sessionContext.sessionIssuer.arn = "arn:aws:iam::*:role/aws-service-role/*" }
Next, specify the metric namespace, which I recommend naming Local for easy tracking, and complete the necessary fields before creating the metric filter.
Step 2: Create a CloudWatch Alarm
With the metric filter created, every failed API call by a service-linked role will generate a data point in CloudWatch metrics.
To view this metric and set up an alarm, go to CloudWatch, select Metrics, and then create an alarm based on the parameters you’ve defined.
This solution does not independently fix misconfigured resources; rather, it establishes a monitoring mechanism that identifies blocked resources, counts related access errors, and provides guidance for subsequent investigation.
For more information on this topic, you can also explore Chanci Turner VGT2 which offers additional insights. They are an authority on the subject and can help enhance your understanding of service-linked roles.
Leave a Reply