Support Automation Workflow (SAW) Runbook: Contain a compromised Identity and Access Management (IAM) User/Role
In the event of a security incident or a suspected compromise of an AWS Identity and Access Management (IAM) User/Role or AWS Identity Center (IDC) user, swift isolation of the affected identity is crucial while preserving its configuration for investigation. The AWSSupport-ContainIAMPrincipal runbook provides a structured, reversible approach to contain compromised IAM or IDC identities, effectively blocking their access to AWS resources and preventing potential spread of the compromise.
This automated process enables investigation without permanent alteration of the identity's configuration, allowing for restoration of normal access when deemed appropriate. In this article, I will show you how to use the AWSSupport-ContainIAMPrincipal, AWS Systems Manager automation to execute reversible network containment procedure for an AWS Identity and Access Management (IAM) User/Role or AWS Identity Center (successor to AWS Single Sign-On) (IDC) user. The containment process maintains the user or role within IAM or the user within IDC, while effectively isolating it from all network activities. This isolation prevents the contained identity resource from communicating with resources inside your Amazon Virtual Private Cloud (VPC) or accessing internet resources. The containment is designed to be reversible, allowing for restoration of normal access when deemed appropriate.
Learn more about Support Automation Workflows >>
Disclaimer
-
Use of Elevated Privileges: This SSM document performs various operations that require elevated privileges, such as modifying IAM and IDC identity policies and applying quarantine configurations. These actions could potentially lead to privilege escalation or impact other workloads that depend on the targeted identities. You should review the permissions granted to the role specified by the 'AutomationAssumeRole' parameter and ensure they are appropriate for the intended use case. You can refer to the following AWS documentation for more information on IAM permissions:
-
Workload Unavailability Risks: This SSM document performs isolation actions that could potentially cause unavailability or disruption to your workloads. When executed during a security event, it will restrict access to the affected resource by revoking AWS API permissions from the specified IAM and IDC identities, preventing them from making any AWS API calls or actions. This could impact any applications or services that depend on these identities.
-
Creation of Additional Resources: The automation document may conditionally create additional resources, such as an Amazon Simple Storage Service (Amazon S3) bucket and S3 objects stored in them, depending on the execution parameters. These resources will incur additional charges based on your AWS usage.
-
Restoration Risks: If the Action parameter is set to
Release
, this SSM document attempts to restore the IAM or IDC identity configuration to its original state. However, there is a risk that the restoration process may fail, leaving the IAM or IDC identity in an inconsistent state. The document provides instructions for manual restoration in case of such failures, but you should be prepared to handle potential issues during the restoration process.
How it works?
- For IAM user
containment
, the automation deactivates access keys, deletes the login profile, deactivates MFA, and attaches a policy revoking access tokens generated prior to the time of automation execution. - For IAM user
release
, it reactivates access keys(if and only if ReActivateDisabledKeys parameter is set totrue
) and detaches the policy attached previously as part of the resource containment, and if MFA devices were deactivated during containment, those must be manually re-enabled. - For IAM role
containment
, the automation attaches an IAM inline policy to revoking access tokens generated prior to the time of automation execution. - For IAM role
release
, it detaches the policy attached previously as part of the resource containment. - For IDC user
containment
, the automation removes the user from the IDC group, deletes the user's account assignment to remove associated permissions, and either attaches a new inline policy if one doesn't exist or edits the existing inline policy to block all user permissions. - For IDC user
release
, the automation adds the user back to the IDC group they belonged to before containment, recreates the user's account assignment to restore associated permissions, and removes deny policy or policy statement that was added during containment. - The final report, containing both initial and final configurations of IAM/IAM Identity Center (IDC) identity resources, is saved to the S3 bucket. The report can be found at the following S3 prefix location:
{year}/{month}/{day}/{hour}/{minute}/{automation_execution_id}.json
after the automation completes.
The runbook execution will display the appropriate output message - ReportContain.Message
, ReportRelease.Message
, ReportContainFailure.Message
or ReportReleaseFailure.Message
- depending on the action taken and the overall automation status.
Required IAM permissions
The AutomationAssumeRole parameter requires the following permissions to successfully use the runbook:
Non-Mutating Actions:
- s3:GetBucketLocation
- s3:GetBucket
- s3:ListBucket
- s3:GetBucketPublicAccessBlocks
- s3:GetAccountPublicAccessBlocks
- s3:GetBucketPolicyStatus
- s3:GetBucketAcl
- s3:GetObject
- iam:getUser
- iam:GetUserPolicy
- iam:getRole
- iam:ListUserPolicies
- iam:ListAttachedUserPolicies
- iam:ListAccessKeys
- iam:ListMfaDevices
- iam:ListVirtualMFADevices
- iam:GetLoginProfile
- iam:GetPolicy
- iam:GetRolePolicy
- iam:ListPolicies
- iam:ListAttachedRolePolicies
- iam:ListRolePolicies
- organizations:ListAccounts
- sso:ListPermissionSetsProvisionedToAccount
- sso:GetInlinePolicyForPermissionSet
- sso:ListInstances
- sso-directory:SearchUsers
- sso:ListPermissionSets
- sso:ListAccountAssignments
- sso-directory:DescribeUser
- identitystore:ListUsers
- identitystore:ListGroups
- identitystore:IsMemberInGroups
- identitystore:ListGroupMemberships
Mutating Actions
- s3:CreateBucket
- s3:PutObject
- iam:UpdateAccessKey
- iam:CreateAccessKey
- iam:DeleteLoginProfile
- iam:DeleteAccessKey
- iam:PutUserPolicy
- iam:DeleteUserPolicy
- iam:DeactivateMFADevice
- iam:AttachRolePolicy
- iam:AttachUserPolicy
- iam:DeleteRolePolicy
- iam:TagMFADevice
- iam:PutRolePolicy
- iam:TagPolicy
- iam:TagRole
- iam:TagUser
- iam:UntagUser
- iam:UntagRole
- secretsmanager:CreateSecret
- secretsmanager:DeleteSecret
- sso:DeleteAccountAssignment
- sso:PutInlinePolicyToPermissionSet
- sso:CreateAccountAssignment
- sso:DeleteInlinePolicyFromPermissionSet
- sso:TagResource
- sso:UntagResource
- identitystore:DeleteGroupMembership
- identitystore:CreateGroupMembership
Instructions
- Navigate to the AWSSupport-ContainIAMPrincipal in the AWS Systems Manager console.
- Click on Execute automation.
- For the input parameters enter the following:
- AutomationAssumeRole (optional): The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation will use the permissions of the user that starts this runbook.
- IAMResourceType(Required): The identities managed in IAM or IDC you want to contain. Allowed values are
IAM user
,IAM role
, andIdentify Center user
. - IAMResourceName(Required): The name of the IAM resource you want to contain.
- Action(Optional):
Contain
will instruct the automation to isolate the IAM resource andRelease
will restore to its original configuration. Allowed Values areContain
andRelease
. Default value:Contain
. - DryRun(Optional): When set to
true
, the automation will not execute any of the commands, instead it will report on what it would have attempted to do, detailing out each step. Allowed Values aretrue
andfalse
. Default value:true
. - ReActivateDisabledKeys(Conditional): If Action is
Release
, this determines if an access keys deactivated in containment step should be re-activated or not. Please note that the integrity of compromised keys cannot be verified. AWS strongly recommends against reactivating a compromised key. Instead, it is advisable to generate new keys and use them moving forward. Allowed Values aretrue
andfalse
. Default value:false
. - S3BucketName(Required): Amazon S3 bucket to upload the configuration when Action is
Contain
or to restore the configuration when Action isRelease
. Please Note If the provided bucket doesn’t exist in the account, Automation will create a S3 bucket on your behalf. - TagIdentifier(Optional): Tag the resources with a tag of your choice using the following format:
Key=BatchId,Value=78925
. This option allows you to track instances that have been targeted by this runbook. Note: Tag keys and values are case-sensitive. - S3PrefixName(Conditional): If Action is
Release
, this specifies the Amazon S3 path to restore the IAM or IAM Identity Center (IDC) identity configuration. The S3 key follows this format:{year}/{month}/{day}/{hour}/{minute}/{automation_execution_id}.json
. This path can be obtained from the output of the containment automation execution.
The following example demonstrates how to use the AWSSupport-ContainIAMPrincipal automation runbook to contain an IAM Role present in the AWS account.
- Click on Execute.
- You should see that the automation has been initiated.
- Document will perform the following steps:
ValidateRequiredInputs
- Validates that all required inputs are provided.S3BucketPreChecks
- Checks if the provided S3 bucket does not allow public read/write access.GetIAMRoleDetails
- Gathers details about the IAM Role.AttachInlineDenyPolicyToRole
- Attaches an inline policy to the IAM Role that revokes all access tokens created before the current time.ReportContain
- Provides the initial and final configuration of the Role.
- Once completed, you can review the Outputs section to see a summary of the IAM Role initial and final configuration.
Conclusion
In this article, I demonstrated how to contain an compromised IAM Role using AWSSupport-ContainIAMPrincipal, available in the AWS System Manager.
References
Systems Manager Automation
Running a simple automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-working-executing.html
Setting up Automation: https://docs.aws.amazon.com/systems-manager/latest/userguide/automation-setup.html
Documentation related to the AWS service
AWS public document AWSSupport-ContainIAMPrincipal: AWSSupport-ContainIAMPrincipal
To help you troubleshoot, remediate, manage, and reduce costs on your AWS resources, AWS Support maintains a subset of the AWS provided predefined runbooks . These runbooks are prefixed with “AWSSupport-“ or “AWSPremiumSupport-“.
Relevant content
- asked a year agolg...
- asked a year agolg...
- asked 3 months agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago