Effective Permissions: Fact vs. Fiction

Identity & IAM Skill Level: Technical
Reading Time: 5 minutes
Key differences between manual, periodic audits and continuous audit and why Sonrai Dig enables organizations to achieve continuous monitoring for audit.

So your company is now operating in the cloud. It’s exciting, isn’t it?  So many tools at your disposal, so many new ways to get things done, and pure agility. Unfortunately, this also introduces many new ways your organization can be at risk. One of them arises from not fully understanding what your Identities (people or non-people) have access to and can do. Oftentimes, what you think is fact is actually fiction. Or, as they say in the movies, based on real events. 

What is an Effective Permission anyways? 

AWS defines effective permissions as “the permissions that are granted by all the policies that affect the user or role.” Simply put, it is the true picture of what your identity can do and what it can access.

Why is this important? 

In the cloud, the Effective Permission for an Identity is oftentimes much broader than what we think it is configured to be. This happens because, in the cloud, an Identity’s permissions are constructed not only by the policies attached to them or the groups that they belong to but are also extended to the roles that they can assume. These are known as identity-based policies. But it is much more than that. Effective permissions include the combination of resource-based policies, session policies, service policies, organizational policies, and even access to native or third-party secret stores (such as HashiCorp Vault). On top of all of that, how a policy is implemented can greatly affect an Identity’s effective permissions. Now, what happens if you bring another public cloud into the mix? You might be thinking, “this sounds very complex.” Well, it is, and that is why so many organizations today are at risk and don’t even know it. It’s a ticking time bomb in their cloud.

This is great in theory, but let’s look at some examples

To help get our heads wrapped around things, let’s look at some examples of how we end up with effective permissions that commonly cause issues. We’ll start with some simple ones and work our way to the more complex ones.

Let’s start with a rather simple scenario to get a baseline understanding of what Effective Permission is.

Sonrai - Effective Permissions Diagram

In this scenario, an Identity belongs to multiple Groups.  On its own, each Group is scoped down to the proper purpose and function. The trouble arises when the permissions from one group, combined with permissions from others, lead to an Effective Permission that is beyond the intended least privilege for the Identity. This usually happens as an organization grows and people change roles and/or gain new responsibilities.

Now let’s take a look at a more complex example.  We will build this up step-by-step so that you can see the Effective Permission at each step and, finally, what the overall Effective Permission is in totality.

In this example, you have an Identity, Elliot, who is part of the SecOps team at his company and belongs to the SecOps Account. In that job, he is only assigned to a single AWS Group called AllSafe. The AllSafe Group has two policies, one allowing Elliot to assume the AllSafeVaultRole. The Role has a Policy attached that gives him access to secrets in his company’s HashiCorp Vault.  With these permissions in hand, Elliot can do his job of managing his company’s Secret Store, which is in the SecOps Account.

Understand the difference between fact and fiction when it comes to your effective permissions reducing complexity in your public cloud.

That all sounds pretty good, right? Well, what happens if the Vault was configured incorrectly and its secrets aren’t as nicely locked down as they were in AWS IAM? In this case, it wasn’t, and Elliot can access ALL the secrets in the Vault, including the AllSafeProduction Role. This Role is used by the Cloud team to manage S3 buckets in their Production Account. That doesn’t sound good, does it?

Vault identity security issue image

No, it is not good at all. As we dig a little deeper, we can see below that with the AllSafeProd Role in hand, Elliot has full access to all of the Production S3 buckets in his organization. Making matters worse, some of these S3 buckets contain data classified as CONFIDENTIAL.

Screenshot of the identity issue image

So, the fiction is that Elliot ONLY has access to the HashiCorp Vault secret store in his Company’s SecOps Account. The fact is that his Effective Permissions show us that he has access to confidential information in his Company’s Production Account.

At that point, if you are thinking, “Wow, that was confusing and not good at the same time!!” You are 100% correct. This is exactly why, without knowing what your Identities can access, like Confidential data, and what they can do, such as assume privileged roles, you have a ticking time bomb in your cloud just waiting for someone to take advantage of.

Now that I know what they are, how can I find them in my environment? 

That’s a good question; the answer is one you might not like. It’s difficult and requires a thorough examination of your Identities. You need to map out each permission path to determine what they can do and/or what they have access to. But it doesn’t end there. Things in the cloud are moving quickly and constantly changing. This also applies to your identity effective permissions. So once you are done mapping off that, you then need to monitor things to determine if a change in your environment also changes your effective permissions. If you can do this, then someone needs to take action to remediate the issue before it becomes a major problem. This could be you, it could be another operational or security team or even the person that invoked the changes, like a developer

How do I stay on top of this? 

As with many things in the cloud, the problem becomes too complex, and things move too quickly to resort to manual efforts. What you need to do is implement the appropriate tooling. This can come in the form of in-house tools that you create to calculate and monitor an Identity’s effective permissions. But this is often a big project and probably outside the scope of what your organization does. It can come from using a combination of cloud-native tools as no one tool does everything. However, these tools are often at different stages of maturation, have no centralized way to tie things together, and are limited only to the cloud that they were built for. This can lead to gaps when one cloud is used and definitely when more than one cloud is used. So, what you really need is a solution that focuses on this and can work across multiple public clouds.

How Sonrai Dig can help

Identity and data access complexity are exploding in your public cloud. Tens of thousands of pieces of compute, thousands of roles, and a dizzying array of interdependencies and inheritances. First-generation security tools miss this, as evidenced by so many breaches. Sonrai Dig, our enterprise cloud security platform, de-risks your cloud by finding these holes, helping you fix them, and preventing those problems from occurring in the first place.