#adminuserapikeys - Administrative users have long lived API keys #125
Comments
|
The solution is to create a script that does the STS dance and updates the local ~/.aws/credentials file. The script will be installed as an alias to the aws command and will evaluate the current key to determine if it is still valid. If not it will initialize the STS dance and refresh the credentials. If the credential is not valid the script will attempt to use the in memory MFA key to get new temporary credentials. If the MFA credentials are invalid it will generate a dialog and trigger the token request for MFA creds that it will then store only in memory. |
|
http://www.infoq.com/presentations/aws-cli-federation It's pinterest's aeres, IIRC |
|
From @gene1wood on June 3, 2016 17:43 Nubis is planning to use a handful of technologies to improve their security posture. The goal is to remedy these risks :
The plan is described here : https://github.com/nubisproject/nubis-deploy/blob/master/SECURITY.md The technologies are
User policy
If the above 3 conditions are all met, then the action is denied. I believe this means that the How can a user AWS Managed RolesI'm unsure how these roles are assumed aws-vaultThe effect of using this tool from a security perspective is that the long lived API keys are encrypted at rest as opposed to stored in plain text if the tool were not used.
|
|
From @gozer on June 3, 2016 17:56 First, a small point of clarification. There is one shared read-only role indeed, but for administrative actions, each user has his own admin policy, which is * : * and only him/her can assume, you can see that here: https://github.com/nubisproject/nubis-deploy/blob/master/modules/global/admins/main.tf#L72 I suspect that might be what makes the STS assumption into the admin role work. |
|
From @gozer on June 3, 2016 17:57 AWS Managed Roles? They are never assumed. The only 2 roles ever assumed by a user are the nubis created readonly one as well as the per-user admin role. |
|
From @gene1wood on June 3, 2016 18:35
I'm assuming that's this role
I'm assuming that this is the policy for the admin role The challenge is this policy applies to a role, and the role can't grant the users Would it be possible to see the entire collection of policies that apply to a user, roles which are created and policies which apply to those roles that these terraform scripts create?
Got it, this was based off of a guess by JD while you were out.
Oh I wasn't calling this out as a problem, just describing what the policies cause. Deciding to require MFA in order to do a password change may be a confusing user experience. The security benefits for requiring MFA on password change are
In the end I'd say the minor benefits aren't worth the potential user confusion. |
|
From @gozer on July 8, 2016 15:10
Each user is in an Administrator group, with no policies attached directly to any user. The Administrator group has 2 policies attached:
Each admin user gets his/her own role:
A single policy per role, you can see it here [https://github.com/nubisproject/nubis-deploy/blob/master/modules/global/admins/main.tf#L38] |
|
From @rollobancher on July 28, 2016 15:47 @gene1wood Just a reminder to review gozers last comment from 7/8. Thanks in advance! |
|
From @gene1wood on July 28, 2016 21:2 @gozer thanks for the clarification. Couple more questions I'm unclear how the two policies you identified (mfa-policy and Here's a policy simulation of those two policies and the action which returns Second question : Here's a user with the mfa-policy and which returns |
|
From @gozer on August 4, 2016 18:29 The iam:DeactivateMFADevice case, I believe, is basically a bug fixed with this: |
|
From @gozer on August 4, 2016 18:31
A good question, and yes the arn:aws:iam::aws:policy/AdministratorAccess would be good enough. Unfortunately, we need a role that STS can use to assume, for things like logging into the web console and all. And the Amazon policies like the one above can't be used for that. Thus the existence of one specific admin role per user. |
|
From @gozer on August 4, 2016 18:32 Oh, and that also allows us to see who is logged into the web console, for instance, nubis/admin/gozer vs. nubis/admin/jd And you'll notice the permissions only allow me to take the gozer admin role, not jd's |
|
From @gene1wood on August 5, 2016 16:44
I don't think it is. If you make that change you break a users ability to setup MFA at all It's probably a good idea to setup a suite of unit tests in the form of AWS policy simulation commands that show the behavior you want then run them against your policies to come up with something that works. Once you have that battery of policy simulations, add them to this ticket along with the new policy so I can see what the intended behavior is (from the tests) and how the policy simulation passes those tests.
Why would an admin user who first logs in to the web console as themselves with their username password and MFA, assume a role when they already are in the web console and have administrative rights? When you say that you "need a role that STS can use to assume, for things like logging into the web console" I don't understand. Why does a user need a role for STS to assume? That role grants them no different permissions than they already have logged into the web console as their user. |
|
From @gozer on August 5, 2016 17:22
You're right, I got the overriding logic wrong, but it should illustrate my point anyhow. The correct fix should be something more like : this gist
And generally a good idea to have tests for anything important, I agree. Unfortunately, at the moment, we don't exactly have the resources available to do any kind of testing, so it will have to wait
Ah, you must have missed the part where the IAM users we create for admins only have API credentials, no web console password at all. This way, we don't have that password to manage at all, but it's what requires the use of STS for getting into the web console |
|
@gene1wood I just want to clarify where we are. As I understand it, if @gozer applies the gist in his last comment (and it works) we will be all good here? - Thanks |
|
From @gene1wood on August 9, 2016 17:37 @tinnightcap I'm not sure. If you could add the current policies (with all the diffs applied) that you've tested and verified do what you're hoping they do, I can review them. |
|
@gene1wood gozer applied the patch, can you have a look? |
|
From @gene1wood on October 5, 2016 19:50 Yes, happy to. Could you point me to the current policy (with all the diffs applied) that's been tested, the ticket's a bit long and I'm not sure what patch you mean. |
|
@gene1wood well I am not exactly sure what you need at this point. I was referring to your previous comment and the fact that @gozer applied a diff as: https://github.com/nubisproject/nubis-deploy/pull/109/files that you can see directly before my last comment. Actually I don't know where this review is at in any respect. I guess what I need from you is to know exactly what we (the Nubis team) need to do in order to get this review finished up. Can you tell me exactly what you need in order to close this out? Thanks |
|
From @gozer on October 11, 2016 17:38 For instance, the 'gozer' admin policy looks like: {
"Version": "2012-10-17",
"Statement": [
{
"Action": "*",
"Effect": "Allow",
"Resource": "*",
"Sid": "admin"
}
]
}The trust relationship is: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "gozer",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::517826968395:user/nubis/admin/gozer"
},
"Action": "sts:AssumeRole"
}
]
}My user has 2 policies attached, the Amazon AdministratorAccess one, plus our own MFA enforcing policy: {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAllUsersToListAccounts",
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListAccountAliases"
],
"Resource": [
"arn:aws:iam::517826968395:user/*"
]
},
{
"Sid": "AllowIndividualUserToSeeTheirAccountInformation",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:CreateLoginProfile",
"iam:DeleteLoginProfile",
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:GetLoginProfile",
"iam:UpdateLoginProfile"
],
"Resource": [
"arn:aws:iam::517826968395:user/${aws:username}"
]
},
{
"Sid": "AllowIndividualUserToListTheirMFA",
"Effect": "Allow",
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListMFADevices"
],
"Resource": "*"
},
{
"Sid": "AllowIndividualUserToManageThierMFA",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:ResyncMFADevice"
],
"Resource": [
"arn:aws:iam::517826968395:mfa/${aws:username}",
"arn:aws:iam::517826968395:user/${aws:username}"
]
},
{
"Sid": "DeactivatingMFANeedsMFA",
"Effect": "Deny",
"Action": [
"iam:DeactivateMFADevice"
],
"Resource": "*",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "false"
}
}
},
{
"Sid": "DoNotAllowAnythingOtherThanAboveUnlessMFAd",
"Effect": "Deny",
"NotAction": "iam:*",
"Resource": "*",
"Condition": {
"Null": {
"aws:MultiFactorAuthAge": "true"
}
}
}
]
} |
|
From @gozer on October 11, 2016 17:43 https://github.com/nubisproject/nubis-deploy/blob/master/modules/global/admins/main.tf#L147 |
|
From @gene1wood on October 13, 2016 23:4 The remaining tasks to review this are :
|
From @gozer on August 24, 2015 18:4
From https://mana.mozilla.org/wiki/display/SECURITY/Nubis#Nubis-#adminuserapikeys
Administrative users have long lived API keys
The dev automation users which have local non-federated user accounts in the stage and prod nubis AWS accounts create long lived AWS API keys which they store on their local workstations. Since API keys can not use MFA, a compromise of any of these workstations would result in a full compromise of the nubis aws accounts.
Recommendations :
Copied from original issue: nubisproject/nubis-meta#22
The text was updated successfully, but these errors were encountered: