Proposal: New Category For IAM Permissions That Bypass Network Controls
Introduction
Cloudsplaining is a renowned platform that provides in-depth coverage of IAM risks, including privilege escalation, data exfiltration, and more. However, there is a growing need to address a specific type of IAM permission that allows users to bypass network-layer controls like Security Groups and NACLs. In this proposal, we suggest introducing a new category for IAM permissions that bypass network controls, which we will refer to as "Out-of-Band Access" or "Bypasses Network Controls."
The Problem
Traditional network defenses, such as Security Groups and NACLs, are designed to control access to resources based on IP addresses and ports. However, some IAM permissions allow users to access resources without requiring direct network access. This can be achieved through internal APIs, which can be used to access resources without being subject to traditional network controls. For example, the Redshift Query Editor allows users to access Redshift databases via AWS internal APIs, without requiring direct network access.
Example Use Case
The Redshift Query Editor is a great example of an IAM permission that bypasses network controls. When a user is granted the redshift:GetClusterCredentials permission, they can access Redshift databases without being subject to traditional network controls. This is because the Redshift Query Editor uses AWS internal APIs to access the database, rather than requiring direct network access.
Why a New Category is Needed
The risk associated with IAM permissions that bypass network controls doesn't cleanly fit into existing categories. This is because these permissions allow users to access resources without being subject to traditional network controls, which can make it difficult to detect and prevent unauthorized access. By introducing a new category for IAM permissions that bypass network controls, we can provide separate visibility for this risk and make it easier to detect and prevent unauthorized access.
Suggested Category
We suggest introducing a new category for IAM permissions that bypass network controls, which we will refer to as "Out-of-Band Access" or "Bypasses Network Controls." This category will provide a clear and concise way to identify and manage IAM permissions that bypass network controls.
Benefits of a New Category
Introducing a new category for IAM permissions that bypass network controls will provide several benefits, including:
- Improved visibility: By providing separate visibility for IAM permissions that bypass network controls, we can make it easier to detect and prevent unauthorized access.
- Better risk management: By identifying and managing IAM permissions that bypass network controls, we can reduce the risk of unauthorized access and data breaches.
- Increased security: By introducing a new category for IAM permissions that bypass network controls, we can provide an additional layer of security and make it more difficult for attackers to access resources without being detected.
Community-Driven Effort
We believe that this effort would be even more effective as a community-driven effort to grow and maintain a list of IAM actions that bypass network controls. By working together, we can create a comprehensive list of IAM permissions that bypass network controls and provide a valuable resource for security professionals.
Conclusion
In conclusion, we propose introducing a new category for IAM permissions that bypass network controls, which we will refer to as "Out-of-Band Access" or "Bypasses Network Controls." This category will provide a clear and concise way to identify and manage IAM permissions that bypass network controls, and will help to improve visibility, better risk management, and increased security.
Appendix
Below is a list of similar permissions that bypass network controls:
- redshift:GetClusterCredentials
- redshift:CreateCluster
- redshift:DeleteCluster
- redshift:DescribeClusters
- redshift:ModifyCluster
- redshift:ResetClusterParameterGroup
- redshift:RestoreCluster
- redshift:StartCluster
- redshift:StopCluster
We believe that this list is not exhaustive and would love to contribute to growing and maintaining a comprehensive list of IAM actions that bypass network controls.
Call to Action
Introduction
In our previous article, we proposed introducing a new category for IAM permissions that bypass network controls, which we will refer to as "Out-of-Band Access" or "Bypasses Network Controls." In this article, we will answer some frequently asked questions about this proposal and provide additional information to help clarify the benefits and implications of introducing this new category.
Q: What is the purpose of introducing a new category for IAM permissions that bypass network controls?
A: The purpose of introducing a new category for IAM permissions that bypass network controls is to provide a clear and concise way to identify and manage IAM permissions that bypass traditional network defenses. This will help to improve visibility, better risk management, and increased security.
Q: How will this new category be implemented?
A: We propose that the new category will be implemented as a separate section in the IAM permissions console, where users can view and manage IAM permissions that bypass network controls. This will provide a clear and concise way to identify and manage these permissions.
Q: What types of IAM permissions will be included in this new category?
A: The new category will include IAM permissions that allow users to access resources without being subject to traditional network controls, such as:
- redshift:GetClusterCredentials
- redshift:CreateCluster
- redshift:DeleteCluster
- redshift:DescribeClusters
- redshift:ModifyCluster
- redshift:ResetClusterParameterGroup
- redshift:RestoreCluster
- redshift:StartCluster
- redshift:StopCluster
Q: How will this new category affect existing IAM permissions?
A: The introduction of this new category will not affect existing IAM permissions. However, users will need to review and update their IAM permissions to ensure that they are compliant with the new category.
Q: What are the benefits of introducing this new category?
A: The benefits of introducing this new category include:
- Improved visibility: By providing separate visibility for IAM permissions that bypass network controls, we can make it easier to detect and prevent unauthorized access.
- Better risk management: By identifying and managing IAM permissions that bypass network controls, we can reduce the risk of unauthorized access and data breaches.
- Increased security: By introducing a new category for IAM permissions that bypass network controls, we can provide an additional layer of security and make it more difficult for attackers to access resources without being detected.
Q: How can I contribute to this effort?
A: We encourage users to contribute to this effort by providing feedback and suggestions on how to implement and manage the new category. We also invite users to share their experiences and insights on how to identify and manage IAM permissions that bypass network controls.
Q: What is the next step in implementing this new category?
A: The next step in implementing this new category is to gather feedback and suggestions from users and to develop a plan for implementing and managing the new category. We will also work with AWS to ensure that the new category is integrated with existing IAM permissions and features.
Conclusion
In conclusion, introducing a new category for IAM permissions that bypass network controls will provide a clear and concise way to identify and manage IAM permissions that bypass traditional network defenses. We believe that this will help to improve visibility, better risk management, and increased security. We encourage users to contribute to this effort and provide feedback and suggestions on how to implement and manage the new category.