By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Security Hub: cross-account access warning for SSO and OIDC

0

I followed the article about how to setup OICD for IAM:

Works like a charm, however Security Hub now reports a cross-account access violation. Same happens when I setup a SSO group in our organisation, attach one of the predefined roles and attach it to the account.

What am I missing here? Do I need to manually modify these permissions? In the case of the SSO am actually not sure how, as the group is intended to provide access to multiple accounts.

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
Security, Identity, & ComplianceAWS Identity and Access ManagementAWS Control TowerAWS OrganizationsAWS Account Management
Language
English
Georg
asked 2 years ago542 views
1 Answer
1

Hi, Thank you for reaching out.

Most likely you are getting these SecurityHub findings from IAM Access Analyzer. If that's true than in my view it sounds like the zone of trust of IAM Access Analyzer is within the account not the organization. You may know this but below is short description on how IAM Access Analyzer analyse policies:

Access Analyzer does not examine access logs to determine whether an external entity accessed a resource within your zone of trust. It generates a finding when a resource-based policy allows access to a resource, even if the resource was not accessed by the external entity. Access Analyzer also does not consider the state of any external accounts when making its determination. That is, if it indicates that account 11112222333 can access your S3 bucket, it knows nothing about the state of users, roles, service control policies (SCP), and other relevant configurations in that account. This is for customer privacy – Access Analyzer doesn't consider who owns the other account. It is also for security – if the account is not owned by the Access Analyzer customer, it is still important to know that an external entity could gain access to their resources even if there are currently no principals in the account that could access the resources.

Source

If SSO and OIDC roles are shared within the same organization then recreating IAM Access Analyzer zone of trust might help here to expand the trust boundary from an account to an organizational view. Below is a how-to document on the same, effectively remove the account level analyzer and create a organization wide analyzer from the delegated admin account (organization admin account):

https://docs.aws.amazon.com/IAM/latest/UserGuide/access-analyzer-getting-started.html

HTH

AWS
AdeshG
answered 2 years ago
  • Georg
    2 years ago

    This is awesome! I'll give it a go!

  • Georg
    2 years ago

    I also got this recommendation in a different forum:

    archive AWS SSO roles automatically so things like this aren't flagged:

      MyAnalyzer:
    Type: AWS::AccessAnalyzer::Analyzer
    Properties:
      Type: ORGANIZATION
      AnalyzerName: my-analyzer
      ArchiveRules:
        - RuleName: ArchiveSSORoles
          Filter:
            - Eq:
                - 'false'
              Property: isPublic
            - Contains:
                - aws-reserved/sso.amazonaws.com/AWSReservedSSO
              Property: resource

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content