AWS Permissions Use Case

The purpose of this document is to help understand the depths of Turbot capabilities around AWS Permissions with real world scenarios. Before getting started, please make sure you have gone through the core concepts of Permissions and Managing AWS Permissions.

Consider the below personas in order to walk through multiple scenarios to achieve a common goal which is to list or/and create a S3 bucket.

  1. Timon is the Cloud Admin with unlimited access to all the AWS Services and has AWS/SuperUser on Turbot UI.
  2. Pumbaa is the Account Engineer with administrator access and has AWS/Admin on Turbot UI.
  3. Baampu is the AWS S3 admin and has AWS/S3/Admin access on Turbot UI.
  4. Zazu is the Cloud Admin whose access is not managed by Turbot. Zazu has access to AWS by assuming the majordomo_role custom role which has unlimited access to all the AWS Services.

Observation: Timon, Pumbaa and Baampu are Turbot Managed whereas Zazu is non-Turbot managed.

Pre-requisites:

For lockdowns to be in effect:

  • The latest recommended version of aws-iam mod must be installed
  • Set the below policies at the AWS Account level (account level is recommended for these scenarios but can be set at any higher level in hierarchy)

    • Enable the IAM service (AWS > IAM > Enabled to Enabled)
    • Enable AWS permissions in role mode (AWS > Turbot > Permissions to "Enforce: Role Mode")
    • Enable the S3 permissions (AWS > S3 > Enabled and AWS > S3 > API Enabled are Enabled)
    • Select all the available levels for S3 service permissions levels (AWS > S3 > Permissions > Levels check all available levels)
  • Grant Timon with AWS/SuperUser, Pumbaa with AWS/Admin and Baampu with AWS/S3/Admin, AWS/User permissions at the AWS Account level.

Scenario 1: Region Hard Boundary

The Pride Lands decided to enable only specific AWS regions likely us-east-1, ap-south-1 and does not want anyone including SuperUsers to be able to use the other regions.

Given:

  • The policy AWS > Turbot > Permissions > Lockdown > Region Boundary is set to us-east-1, ap-south-1.

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should get "Access Denied" when tries to create a S3 bucket in disabled regions.
  • Zazu should be able to create the S3 bucket in both enabled and disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x x

** should it say Zazu Non-Turbot User/Role with AdministratorAccess? **

NOTE: Global services (IAM, Route53 etc) will not be subject to the region restriction.

Scenario 2: Region Soft Lockdown

The Pride Lands decided to enable only specific regions likely us-east-1, ap-south-1, but allow SuperUsers to be able to access ALL the regions.

Given:

  • Leave the AWS > Turbot > Permissions > Lockdown > Region Boundary policy at the default value(- '*').
  • Edit the AWS > Turbot > Permissions > Lockdown > Regions policy to only include the regions to be enabled. In this case, it is the us-east-1 and ap-south-1 regions.

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser) should be able to create S3 bucket in disabled regions as well.
  • Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should get "Access Denied" when tries to create a S3 bucket in disabled regions.
  • Zazu should be able to create the S3 bucket in both enabled and disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x x

Scenario 3: Service Hard Boundary

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) from usage for everyone including SuperUsers.

Given:

  • Set AWS > {service} > Enabled to Disabled (AWS > S3 > Enabled is Disabled)
  • Set AWS > {service} > API Enabled to Disabled (AWS > S3 > API Enabled is Disabled)

Expected result:

  • Timon(as AWS/SuperUser) and Pumbaa(as AWS/Admin) should get the error "Insufficient permissions to list buckets" while trying to list the S3 buckets.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.
  • Zazu should be able to list/create the S3 buckets.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x x

Scenario 4: Service Soft Lockdown

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) from usage for everyone except SuperUsers.

Given:

  • Set AWS > {service} > Enabled to Disabled (AWS > S3 > Enabled is Disabled).
  • Set AWS > {service} > API Enabled to Enabled (AWS > S3 > API Enabled is Enabled)

Expected result:

  • Timon(as AWS/SuperUser) should be able to create S3 bucket.
  • Pumbaa(as AWS/Admin) should get "AccessDenied" while trying to create S3 bucket.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x x

Scenario 5: Hard Lockdown on all IAM Roles - Regions

The Pride Lands decided to enable only specific AWS regions likely us-east-1, ap-south-1 and does not want anyone including SuperUsers, Turbot(Turbot Service Role) and Non-Turbot roles to be able to use the other regions.

Given:

  • The policy AWS > Turbot > Permissions > Lockdown > Region Boundary is set to us-east-1, ap-south-1.
  • Set AWS > IAM > Role > Boundary to "Enforce: Boundary > Policy" OR "Check or Enforce per AWS > Turbot > Permissions"

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should get "Access Denied" when tries to create a S3 bucket in disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x

NOTE: Since Turbot is also not allowed to access regions except us-east-1 and ap-south-1, all the Turbot Controls in the disabled regions will error out due to lack of permissions. Turbot can no longer discover your resources in these regions.

If you wish not to discover any resources from disabled regions, then set AWS > Account > Regions [Default] to us-east-1 and ap-south-1. If you wish to discovery the resources in ALL the regions then add an exception for Turbot (discussed in further scenarios).

Scenario 6: Hard Lockdown on all IAM Roles - Services

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) from usage for everyone including SuperUsers, Turbot(Turbot Service Role) and Non-Turbot roles.

Given:

  • Set AWS > {service} > Enabled to Disabled (AWS > S3 > Enabled is Disabled)
  • Set AWS > {service} > API Enabled to Disabled (AWS > S3 > API Enabled is Disabled)

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Zazu should get the error "Insufficient permissions to list buckets" while trying to list the S3 buckets.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x

NOTE: Since Turbot is also not allowed to access disabled services, all the Turbot Controls for the disabled services will error out due to lack of permissions. Turbot can no longer discover your resources for these services.

If you wish not to discover any resources from disabled services, then either do not install the mod or set the CMDB policy of the resources to Skip. For example: Set AWS > S3 > Bucket > CMDB to Skip at the Account level. If you wish to discovery the resources for disabled service as well then add an exception for Turbot (discussed in further scenarios).

Scenario 7: Soft Lockdown on all IAM Roles - Regions

The Pride Lands decided to enforce lockdown policies on all IAM Roles including SuperUsers, Turbot(Turbot Service Role) and Non-Turbot roles.

Given:

  • Leave the AWS > Turbot > Permissions > Lockdown > Region Boundary policy at the default value(- '*').
  • Edit the AWS > Turbot > Permissions > Lockdown > Regions policy to only include the regions to be enabled. In this case, it is the us-east-1 and ap-south-1 regions.
  • Set AWS > IAM > Role > Policy Attachments > Required to Enforce: Required > Items.
  • Set AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown to Enabled

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should not be able to create a S3 bucket in disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x

NOTE: Since Turbot is also not allowed to access regions except us-east-1 and ap-south-1, all the Turbot Controls in the disabled regions will error out due to lack of permissions. Turbot can no longer discover your resources in these regions.

If you wish not to discover any resources from disabled regions, then set AWS > Account > Regions [Default] to us-east-1 and ap-south-1. If you wish to discovery the resources in ALL the regions then add an exception for Turbot (discussed in further scenarios).

Scenario 8: Soft Lockdown on all IAM Roles - Services ---- Venu thinks that the non-turbot managed roles should not be allowed to access disabled services. But they are able to right now on aws-iam 5.5.0. Seeking confirmation from Abhi/John.

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) from usage for everyone including SuperUsers, Turbot(Turbot Service Role) and Non-Turbot roles.

Given:

  • Set AWS > {service} > Enabled to Disabled (AWS > S3 > Enabled is Disabled).
  • Set AWS > {service} > API Enabled to Disabled (AWS > S3 > API Enabled is Enabled)
  • Set AWS > IAM > Role > Policy Attachments > Required to Enforce: Required > Items.
  • Set AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown to Enabled

Expected result:

  • Timon(as AWS/SuperUser) should be able to create S3 bucket.
  • Pumbaa(as AWS/Admin) should get "AccessDenied" while trying to create S3 bucket.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x

NOTE: Since Turbot is also not allowed to access disabled services, all the Turbot Controls for disabled services will error out due to lack of permissions. Turbot can no longer discover your resources for these services.

If you wish not to discover any resources from disabled services, then either do not install the mod or set the CMDB policy of the resources to Skip. For example: Set AWS > S3 > Bucket > CMDB to Skip at the Account level. If you wish to discovery the resources for disabled service as well then add an exception for Turbot (discussed in further scenarios).

Scenario 9: Exceptions - Hard Boundary

The Pride Lands decided to disable certain regions and service APIs for everyone except a certain role (for example: Turbot).

Given:

  • Set the AWS > IAM > Role > Boundary policy on the Turbot service account role to Enforce: No Boundary

Expected result:

  • Turbot should be able to access all the regions/services.

Similarly in order to add exception to a user

  • Set the AWS > IAM > User > Boundary policy on the user to Enforce: No Boundary

Scenario 10: Exceptions - Soft Lockdown

The Pride Lands decided to set soft lockdown on all the roles except a certain role. (for example: Turbot).

Given:

  • Set AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown to Disabled for the role.

Expected result:

  • The role should not have any lockdown policy restrictions.

Similarly we can add exceptions to a particular user. Given:

  • Set AWS > IAM > User > Policy Attachments > Required > Turbot Lockdown to Disabled for the user

Expected result:

  • The user should not have any lockdown policy restrictions.

Scenario 11: Exceptions - Turbot SuperUser

The Pride Lands decided to set the hard boundary but want all the SuperUsers like Timon to be excepted.

Given:

  • Set AWS > Turbot > Permissions > Superuser Boundary policy to No boundary.

Expected result:

  • The role should not have any hard boundaries applied.

Scenario 12: Customization - Hard Boundary

The Pride Lands decided to set hard boundary, but want to use their own boundary policy instead of using Turbot's boundary policy.

Given:

  • Set the AWS > IAM > User > Boundary > Policy and AWS > IAM > Role > Boundary > Policy policies to the name of your boundary policy.

Note that the Turbot Region Boundary and API Enabled policies will have a no effect if you do not apply Turbot's boundary policy Your policy must exist - it will be be created by this policy. You can use the AWS > Account > Stack to manage this policy if you desire.

Expected result: For cases applicable, the boundaries should be applied and instead of Turbot Boundary Policy, the custom boundary policy should be applied to all the roles/users.

Scenario 13: Customization - Self Managed Services

The Pride Lands decided to explore a new service that Turbot does not support yet or a service for which the mod is not installed on the workspace. The Pride Lands want Turbot to allow this API service in both boundary and lockdown.

Given:

  • Set the APIS to the AWS > Turbot > Permissions > Lockdown > API Boundary policy.

Expected result:

  • The service API should be exempted from both boundary and lockdown policies.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Expected result:

  • Timon(as AWS/SuperUser) should not be able to access the SNS service (list the topics or try creating a topic).
  • Pumbaa(as AWS/S3/Admin) should get "AuthorizationError" while trying to access SNS service.

Note: Set the scope of the policy to a specific role to reduce the impact to single role instead of all roles across the account.

Similarly we can do this for restricting Users by setting the below policies.

  • Set AWS > IAM > User > Policy Attachments > Required to Enforce: Required > Items
  • Set AWS > IAM > User > Policy Attachments > Required > Turbot Lockdown to Enabled

*** Turbot gets access denied on regions/services that are disabled, if boundary is set as per policy.

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx













Summary

User/Access Disabled Service Region Hard Boundary Region Soft Lockdown Enabled Regions Disabled Regions
Timon(AWS/SuperUser) x
Timon(AWS/SuperUser) x
Pumbaa(AWS/S3/Admin) x
Pumbaa(AWS/S3/Admin) x