Trusted Access Guardrails
Overview
Trusted Access guardrails allow you to define whom and what you trust and enforce those limitations on your cloud resources. With Guardrails Trusted Access policies, you can define which accounts, services, and organizations are allowed to be granted access your resources. The Trusted Access control can audit or enforce those policies, giving centralized control over trusted boundaries.
Many examples here will list AWS, but these policies also are available for Azure and GCP resources.
Policies and Controls
Trusted Access controls are generally divided into two patterns:
Default Policies
Default policies at the account level allow administrators to define trusted boundaries centrally for all services. However, these can be overrode by either defining resource type specific Trusted Access policies, or by setting an exception for the default policy.
Account-level Defaults
The value for all of the account-level default policies is to allow everything:
*
Policy | Description |
---|---|
AWS > Account > Trusted Accounts [Default] | A list of AWS account IDs |
AWS > Account > Trusted Organizations [Default] | A list of AWS organization IDs |
AWS > Account > Trusted Identity Providers [Default] | A list of Identity providers |
AWS > Account > Trusted Service [Default] | A list of AWS services |
Service-level Defaults
The value for all of the service-level default policies is to allow everything:
*
Policy | Description |
---|---|
AWS > {Service} > Trusted Accounts [Default] | A list of AWS account IDs |
AWS > {Service} > Trusted Organizations [Default] | A list of AWS organization IDs |
AWS > {Service} > Trusted Identity Providers [Default] | A list of Identity providers |
AWS > {Service} > Trusted Service [Default] | A list of AWS services |
Simple List Pattern
Some resource types allow you to grant access to other accounts.
Guardrails solves this with two policies:
Trusted Access
: Allows you check or enforce whether the sharing is allowed or not, and to which accounts. Allows administrators to configure if Guardrails will check or enforce Trusted Access.Trusted Access > Accounts
: Allows you to specify the list of AWS account IDs that are trusted.
For resources that support cross account access, Guardrails can check or enforce to the list of AWS accounts. These policies can be found directly under the service in the hierarchy:
{Provider} > {Service} > {Resource} > Trusted Access
{Provider} > {Service} > {Resource} > Trusted Access > Accounts
AWS > EC2 > Snapshot > Trusted Account
AWS > EC2 > Snapshot > Trusted Account > Accounts
Acceptable Trusted Access policy values are consistent across resource types:
Value | Description |
---|---|
Skip | Skip - no action taken |
Check: Trusted Access > Accounts | To check access is granted to the list of trusted accounts |
Enforce: Trusted Access > Accounts | To enforce, access to non-trusted accounts are removed |
IAM Resource Policy Pattern
Many resources allow users to grant access directly on the resource itself via a resource policy. The Trusted Access control will evaluate and modify access granted in said resource policy.
Guardrails allows Trusted Access configurations via this list of policies. Note that while they all exist, is not necessary to configure all of them in order to enforce or check resources for unauthorized access:
Trusted Access
: Allows administrators to check or enforce whether the sharing is allowed or not and to which accounts, services, and federated users.Trusted Access > Accounts
: Allows administrators to specify the list of AWS account IDs that are trusted to access the resource.Trusted Access > Organization Restrictions
: Allows administrators to specify the list of AWS organization IDs that are trusted to access the resource.Trusted Access > Identity Providers
: Allows administrators to specify the list of Identity Providers that are trusted to access the resource.Trusted Access > CloudFront Origin Access Identities
: Allows administrators to specify the list of CloudFront Origin Access Identities (OAIs) that are trusted to access the resource.Trusted Access > Services
: Allows administrators to specify the list of AWS Services that are trusted to access the resource.
These policies can be found under the service in the hierarchy:
{Provider} > {Service} > {Resource} > Policy > Trusted Access
{Provider} > {Service} > {Resource} > Policy > Trusted Access > Accounts
{Provider} > {Service} > {Resource} > Policy > Trusted Access > Organization Restriction
{Provider} > {Service} > {Resource} > Policy > Trusted Access > Identity Providers
{Provider} > {Service} > {Resource} > Policy > Trusted Access > CloudFront Origin Access Identities
{Provider} > {Service} > {Resource} > Policy > Trusted Access > Services
AWS > S3 > Bucket > Policy > Trusted Access
AWS > S3 > Bucket > Policy > Trusted Access > Accounts
AWS > S3 > Bucket > Policy > Trusted Access > Organization Restriction
AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers
AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access Identities
AWS > S3 > Bucket > Policy > Trusted Access > Services
Again, acceptable Trusted Access policy values are consistent across resource types:
Value | Description |
---|---|
Skip | Skip - no action taken |
Check: Trusted Access | To check access is granted to the list of AWS accounts, Organizations, Services, Identity Providers, and OAIs set on the policy |
Enforce: Revoke untrusted access | To enforce, access to non-trusted members are removed |
Note:
- The
Trusted Access
control only evaluates access granted to external entities for the resource in the resource policy. - All the
Trusted Access
sub-policies might not be applicable for all resource types. - The
Trusted Access
control only applies to policy statements that allow access (where effect is allow). Deny statements are ignored by the control. - Both
Trusted Access > Accounts
andTrusted Access > Organization Restrictions
apply to AWS principals, and are evaluated independently. To have access, a principal must be allowed inTrusted Access > Accounts
AND be a member of an Organization that is allowed inTrusted Access > Organization Restrictions
- A Service Principal that is allowed per
Trusted Access > Services
may also restrict the source resource to accounts perTrusted Access > Services > Source Account Restrictions
via a condition.- When the service supports
aws:Source*
conditions, Guardrails will evaluate theaws:Source*
conditions on that statement and amend (or add theaws:SourceAccount
condition) to remediate. S3 Bucket notifications to SNS are an example of such a situation. - When the service (such as CloudTrail) does not support
aws:Source*
conditions, Guardrails will not enforce this restriction on that statement.
- When the service supports
Example: AWS > S3 > Bucket > Policy > Trusted Access
First, assume that the bucket policy is trusting the account 123456789210
that
is under the organization o-c6v5d4wd43
. The identity provider granted access
in the bucket policy is www.facebook.com
. The service granted access to the
bucket via existing bucket policies is ec2.amazonaws.com
, and the CloudFront
Origin Access Identity with access is defined as E1QK6X5E0FOET6
. The following
policies have been configured in Guardrails:
- AWS > S3 > Bucket > Policy > Trusted Access is set to
Check: Trusted Access
. - AWS > S3 > Bucket > Policy > Trusted Access > Accounts is set to
- 123456789210
. - AWS > S3 > Bucket > Policy > Trusted Access > Organization Restriction is
set to
- o-c6v5d4wd43
. - AWS > S3 > Bucket > Policy > Trusted Access > Identity Providers is set to
- www.google.com
. - AWS > S3 > Bucket > Policy > Trusted Access > Services is set to
- sns.amazonaws.com
. - AWS > S3 > Bucket > Policy > Trusted Access > CloudFront Origin Access
Identities is set to
E1QK6X5E0FOET6
.
In order, these policies will evaluate Accounts
, Organization Restriction
,
and CloudFront Origin Access Identities
as trusted, but Identity Providers
and Services
as untrusted. The policy evaluation will result the control being
in the ALARM state.
Sample S3 bucket policy for the above example:
{ "Version": "2012-10-17", "Id": "2012-10-17", "Statement": [ { "Sid": "ReadAccess", "Effect": "Allow", "Principal": { "Federated": "www.facebook.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucketexample01" }, { "Sid": "WriteAccess", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1QK6X5E0FOET6" }, "Action": "s3:PutBucket", "Resource": "arn:aws:s3:::bucketexample01" }, { "Sid": "ReadAccess1", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::bucketexample01" }, { "Sid": "WriteAccess1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789210:root" }, "Action": "s3:PutBucket", "Resource": "arn:aws:s3:::bucketexample01", "Condition": { "StringEquals": { "aws:PrincipalOrgID": "o-c6v5d4wd43" } } } ]}