ACM.128 Investigating potential means to stop AWS SSO customers from taking programmatic actions on AWS through the CLI or in any other case
Within the final put up I coated a few of my issues concerning the means for an AWS SSO consumer to leverage the AWS CLI. To know why I’m doing what I’m doing on this put up please learn the final put up first:
I need to limit AWS SSO customers from utilizing something however the AWS Console. In different phrases, I need to disallow all programmatic actions utilizing AWS SSO consumer credentials by utilizing a code to hyperlink an AWS SSO session with AWS SSO consumer credentials.
As famous, there’s no possibility at the moment to limit AWS SSO (IAM Identification Middle) customers to solely use the console from inside the console.
Can we create a coverage to limit a consumer from utilizing the AWS CLI?
My subsequent strategy is to attempt to create a coverage to limit a consumer from utilizing a code to hyperlink their AWS SSO session with a programmatic session in another means.
Within the final put up we realized that we will’t use an SCP for the CreateToken command. If we need to limit these three actions, we will attempt to create a coverage that denies these actions and apply it to our AWS SSO customers by permission units as a substitute.
Enable Cloud Shell to check CLI instructions
I need to run this check utilizing CloudShell however I haven’t given this consumer entry to CloudShell.
Let’s add CloudShell to the DNS administrator insurance policies.
I wrote about this bug yesterday. After I seek for my Route 53 permission set, search doesn’t appear to be working. Immediately I observed you must search by ID or ARN. That’s not very user-friendly. I hope that will get addressed quickly.
Only for this check, I’m going to connect the CloudShell full entry to this permission set.
Aspect be aware: Logout bug
Right here’s what looks like one other bug. When on the AWS IAM Identification Middle dashboard, select logout from the highest proper menu underneath the consumer title. It seems to log the consumer out however it actually doesn’t. After I return to the AWS SSO begin web page I get the complete record of accounts to which my consumer has entry. If I click on Signal out on that web page, I do get logged out.
Check operating Route53 command in CloudShell
Subsequent I’m going to login because the DNS administrator and confirm I can run a DNS command from the command line utilizing AWS CloudShell. I ran this command and it really works:
aws route53domains list-domains --region us-east-1
The attention-grabbing factor is that I by no means needed to run the aws sso login command or configure the CLI. That’s as a result of CloudShell robotically passes credentials from the console utilizing this motion:
Though I’m not a fan of the system code movement talked about within the final put up, I’m unsure if this specific use of credentials is sort of as harmful. Though we do have the browser as an assault floor, at the very least the consumer needed to login with MFA earlier than with the ability to entry CloudShell.
That stated, I haven’t pentested this elements of AWS (bear in mind AWS doesn’t have a bug bounty and sure elements of the platform are excluded from penetration checks). If you happen to don’t need customers utilizing this performance take away the coverage I added above and deny entry to CloudShell.
For essentially the most half I carry out programmatic actions utilizing an EC2 occasion as a bastion host of types slightly than use CloudShell.
One different factor I observed is that this consumer may take programmatic actions although their e mail tackle was not verified.
Testing the aws sso login command within the AWS CLI
Alright, let’s go to an AWS EC2 occasion and attempt to login utilizing the AWS CLI.
I first tried to manually edit the config file as described within the final put up, however acquired errors about an invalid file.
For some causes elinks popped up?
Then I attempted to run the aws configure sso command. I acquired some odd wanting display screen like this with errors.
It appears to be like like possibly the AWS Linux VM is making an attempt to show a textual content browser however the code required to hyperlink the CLI session with the SSO session isn’t getting handed by appropriately. Or one thing like that.
Nicely, if elinks was used as a browser, maybe that may be much less dangerous than going to a browser on the machine the place you browse the net and browse e mail. If it labored…I’m unsure an not going to spend a lot time fascinated by it.
My plan was to attempt to login and see what actions present up for this consumer in CloudTrail when logging in, however I can’t appear to even configure AWS SSO for the CLI. I don’t know if it’s because I’ve already configured different non-sso profiles on this machine or one thing else. In any case I don’t need to spend so much of time troubleshooting this.
Trying to find errors and actions in logs
The place would the logs associated to this error even exist? It might be this error is because of functioning of the AWS CLI itself, or the error might be associated to reaching out to some AWS service that isn’t working appropriately. Maybe my community guidelines are blocking entry to the service required for this to work correctly.
When you concentrate on it, the AWS CLI sso login command goes to the beginning URL with none account quantity, so the place would CloudTrail log these actions? The one potential account can be the one the place I’m configuring SSO since that’s the one I presume related to the beginning URL?
Logging into the SSO account and checking the logs doesn’t yield any error messages. Nonetheless, I do see that logs exist for my DNS admin consumer along with the domains account. The attention-grabbing factor is that although I solely gave that consumer permission for Route 53 and CloudShell through the insurance policies assigned to the permission set, I see that actions are allowed for the sso, signin, and sts companies.
On condition that these are allowed although I didn’t embrace them in any insurance policies within the permission set I assigned to this consumer, I believe that there’s not going to be a option to simply block the programmatic performance we need to disallow. Will a deny motion really work?
There appears to be this hyperlink between offering that code and logging in the place the linkage between the AWS CLI and the AWS SSO session happens and people instructions referenced within the weblog put up I linked to in my final put up don’t look like choices in IAM insurance policies in any respect.
After I lookup the actions I discover this record:
It appears to me this movement is extra like enabling a Roku than enabling administration of a cloud platform by programmatic means.
Additionally, if you use this movement to allow your Roku you must have entry to a Roku the place you’re logged in, I imagine, not any random Roku. Then you possibly can go to a web site the place you plug within the code you bought off your Roku — the place you might be logged in — to hyperlink it up on the web site, if I bear in mind appropriately.
The Roku system movement is initiated by getting a code from an authenticated supply. The AWS movement appears to be stepping into reverse. You’re getting a code from an unauthenticated supply to hyperlink the classes. Right? I’m unsure as a result of it’s not working for me. And to be sincere I don’t need to spend extra time on it.
Can we disable the above in an IAM coverage?
I logged into the console to see what actions can be found for an IAM Coverage. I can’t discover something that precisely matches the above title.
SSO/IIC itself doesn’t appear to have something that appears associated to the above actions:
Beneath I see CreateBearerToken and StartWebAuthnDeviceRegistration. That will have one thing to do with it however possibly the latter is expounded to MFA units. I wished to seek out out, so I clicked the (?) under. However if you do this, you don’t get details about these instructions, you get a generic assist web page that tells you how you can create customized insurance policies.
Looking out round on the internet it does appear that WebAuthn is expounded to registering MFA units:
Bearer tokens are utilized by some companies, not others. I don’t suppose that limiting this may block programmatic entry altogether:
So so far as I can inform, I can’t cease AWS SSO customers from utilizing the AWS CLI with their AWS SSO credentials and classes. Maybe a brand new methodology will come to mild later.
Aspect be aware: There’s a purpose why I like to recommend to firms that they centralize and deal with authentication in a normal means. So totally different groups are usually not doing it in numerous methods elsewhere and doubtlessly making errors. Authentication and authorization are difficult to engineer appropriately.
Actions linked to a consumer from an unrelated IP tackle
I additionally observed one other attention-grabbing factor. Since I couldn’t restrict programmatic entry possibly I may restrict any actions by this consumer to the consumer’s IP tackle alone in a coverage. In fact this must be one other user-specific coverage except I’m utilizing a VPN or some answer like that.
However that additionally won’t work. Why? As a result of I observed that the IAM Identification Middle administrative consumer I’m logged in with utilizing SSO has actions logged with this supply IP tackle:
3.12.22.118
That isn’t my IP tackle. I haven’t used something aside from the AWS console and sso credentials with the consumer the place I observed this occurring.
If I attempt to limit all actions through insurance policies to *my* IP tackle for the my IAM Identification Middle administrator it seems I’m going to finish up blocking actions coming from some unidentified tackle. I believe issues will break, except the IP situation doesn’t really work for these actions after which we’ve yet one more drawback.
I had the same problem on Microsoft Azure. I created a community rule and restricted entry to my very own IP tackle and acquired blocked from utilizing a selected service. Microsoft admitted that was a bug and glued it.
On this case, I haven’t but examined that making a situation blocks me if I had had a situation that solely allowed actions for my IP tackle in my coverage, or if that situation even works for all actions. However it looks like that IP tackle wants to vary to mirror the proper finish consumer IP tackle.
Shifting on…
At this level, I’ve spent extra time than I’ve on making an attempt to determine how you can limit an AWS SSO (AWS IAM Identification Middle) consumer to the console solely than I might have preferred. I’m going to maneuver on and hope that AWS offers a means to do this quickly or at the very least paperwork how you can create a coverage that may obtain that goal. #awswishlist
I’ll replace this weblog later if an answer presents itself. For now, I shall be avoiding utilizing codes or logging in to hyperlink SSO and CLI classes so hopefully I gained’t get tricked into getting into my credentials into an invalid web site with some random code. Want me luck.
Observe for updates.
Teri Radichel
If you happen to preferred this story please clap, observe, or rent me:
Medium: Teri Radichel or Electronic mail Listing: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Mastodon: @teriradichel@infosec.trade
Submit: @teriradichel
Fb: 2nd Sight Lab
Slideshare: Shows by Teri Radichel
Speakerdeck: Shows by Teri Radichel
Books: Teri Radichel on Amazon
Firm (Penetration Assessments, Assessments, Coaching): 2nd Sight Lab
Request companies through LinkedIn: Teri Radichel or IANS Analysis
© 2nd Sight Lab 2023
All of the posts on this sequence:
____________________________________________
Creator:
Cybersecurity for Executives within the Age of Cloud on Amazon
Want Cloud Safety Coaching? 2nd Sight Lab Cloud Safety Coaching
Is your cloud safe? Rent 2nd Sight Lab for a penetration check or safety evaluation.
Have a Cybersecurity or Cloud Safety Query? Ask Teri Radichel by scheduling a name with IANS Analysis.
Cybersecurity & Cloud Safety Sources by Teri Radichel: Cybersecurity and Cloud safety courses, articles, white papers, shows, and podcasts