Couldn’t fairly pin it down, however both means, watch out
I’ve been testing one thing on AWS with an assumed function and seen that I’m getting inconsistent habits. In my script, I’ve a person that has permissions to imagine one other function in one other account.
Earlier than I assume the function I confirm the caller identification with this command:
aws sts get-caller-identity
That reveals me the unique person whose credentials are used to imagine the exterior function.
After assuming the function, I name the function once more and I get the assumed function because the caller identification.
Then issues get bizarre and inconsistent.
Initially I had the person assuming the function arrange with zero permissions besides to imagine the function it’s supposed to make use of to run some assessments. So when that person tried to explain ec2 something, it could fail till assuming the function.
That was by design so I used to be certain that I used to be getting information from the anticipated account and would discover if I had made a mistake. The person additionally didn’t want these permissions to do what I used to be attempting to do, in accordance with zero belief safety insurance policies.
As a result of issues have been working inconsistently, I added permissions to learn details about EC2 cases and networking within the account I’m attempting to run my assessments from. I examined my scripts regionally in that account to confirm they work accurately. I transferred the instructions to the script the place the assume function command is used to entry an exterior account to run the identical queries.
Basically, I’m getting a listing of public IP addresses.
Now that my person has entry to learn ec2 information, right here’s what occurs.
I noticed, after I gave the native person permissions to question IP addresses within the native account, is that the script is randomly failing again to the native person — AFTER sts get-caller-identity says I’ve assumed the function. So as an alternative of getting failures in each area, I typically get the distant IP addresses and typically get the native addresses.
What might be inflicting this?
I assumed the function a couple of minute in the past so the function shouldn’t be timing.
I believed possibly I had mistyped the MFA code but when that was the case, my try and assume the distant function would fail. Moreover, second STS command would present the present person, not the distant function after I assumed the function accurately. Possibly I simply checked out all of it flawed. (It occurs.)
I’m looping by way of areas to get IP addresses so to pinpoint this downside additional and confirm I’ve not merely mistyped the MFA code by some means, I began operating the STS name earlier than each single command in each single area.
Since I’ve executed that, I’ve not been capable of reproduce the issue, so possibly I merely mistyped the MFA code as a result of that’s actually the one variable on this case.
No matter what induced this, it factors to the should be conscious that this may occur — by some means — and to at all times validate the function is what you suppose it’s earlier than taking delicate actions that would have an effect on the flawed account. This additionally factors to the necessity for zero belief roles all through your IAM design.
Teri Radichel
Should you favored this story please clap and comply with:
Medium: Teri Radichel or E mail Record: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests providers through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2022
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Assets by Teri Radichel: Cybersecurity and Cloud safety lessons, articles, white papers, displays, and podcasts