AWS Permissions Use Case

The purpose of this document is to help understand the depths of Turbot capabilities around AWS Permissions with real world scenarios. Before getting started, please make sure you have gone through the core concepts of Permissions and Managing AWS Permissions.

Consider the below personas in order to walk through multiple scenarios to achieve a common goal which is to list or/and create a S3 bucket.

  1. Timon is the Cloud Admin with unlimited access to all the AWS Services and has AWS/SuperUser on Turbot UI.
  2. Pumbaa is the Account Engineer with administrator access and has AWS/Admin on Turbot UI.
  3. Baampu is the AWS S3 admin and has AWS/S3/Admin access on Turbot UI.
  4. Zazu is the Cloud Admin whose access is not managed by Turbot. Zazu has access to AWS by assuming the majordomo_role custom role which has unlimited access to all the AWS Services.

Observation: Timon, Pumbaa and Baampu are Turbot Managed whereas Zazu is non-Turbot managed.

Pre-requisites:

For lockdowns to be in effect:

  • The latest recommended version of aws-iam mod must be installed
  • Set the below policies at the AWS Account level (account level is recommended for these scenarios but can be set at any higher level in hierarchy)

    • Enable the IAM service (AWS > IAM > Enabled to Enabled)
    • Enable AWS permissions in role mode (AWS > Turbot > Permissions to "Enforce: Role Mode")
    • Enable the S3 permissions (AWS > S3 > Enabled and AWS > S3 > API Enabled are Enabled)
    • Select all the available levels for S3 service permissions levels (AWS > S3 > Permissions > Levels check all available levels)
  • Grant Timon with AWS/SuperUser, Pumbaa with AWS/Admin and Baampu with AWS/S3/Admin, AWS/User permissions at the AWS Account level.

Scenario 1: Region Hard Boundary

The Pride Lands decided to enable only specific AWS regions likely us-east-1, ap-south-1 and does not want anyone including SuperUsers to be able to use the other regions.

Given:

  • The policy AWS > Turbot > Permissions > Lockdown > Region Boundary is set to us-east-1, ap-south-1.

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should not be able to create S3 bucket in disabled regions.
  • Zazu should be able to create the S3 bucket in enabled and disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x x

** should it say Zazu Non-Turbot User/Role with AdministratorAccess? **

NOTE: Global services (IAM, Route53 etc) will not be subject to the region restriction.

Scenario 2: Service Hard Boundary

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) for everyone including SuperUsers.

Given:

  • The policy AWS > {service} > Enabled is set to Disabled (AWS > S3 > Enabled is Disabled)
  • The policy AWS > {service} > API Enabled is set to Disabled (AWS > S3 > API Enabled is Disabled)

Expected result:

  • Timon(as AWS/SuperUser) and Pumbaa(as AWS/Admin) should not be able to create S3 bucket.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.
  • Zazu should be able to create the S3 buckets.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x x

Further, The Pride Lands want the restrictions to be applied for ALL the roles. However, if Turbot Service Role is also restricted then Turbot can no longer discover the AWS resources in the disabled regions/services.

  • If you want Turbot not to discover any resources from disabled regions, then set AWS > Account > Regions [Default] to us-east-1 and ap-south-1.
  • If you want Turbot not to discover any resources from disabled services then either uninstall the mod or set the CMDB policy of the resources to Skip. For example: Set AWS > S3 > Bucket > CMDB to Skip at the Account level.
  • If you want Turbot to discovery the resources from disabled regions/services then add a boundary exception for Turbot (discussed in further scenarios).

Scenario 3: Exceptions for Hard Boundary

The Pride Lands decided to disable certain regions and service APIs for everyone except a certain role (for example: Turbot).

Given:

  • The policy AWS > IAM > Role > Boundary is set to Enforce: No Boundary on the Turbot service account role.

Expected result:

  • Turbot should be able to access all the regions/services.

Scenario 4: Region Hard Boundary on all IAM Roles

With proper exceptions in place if needed, its time to bring all the IAM Roles under the hard boundaries.

Given:

  • The policy AWS > Turbot > Permissions > Lockdown > Region Boundary is set to us-east-1, ap-south-1, if not already.
  • The policy AWS > IAM > Role > Boundary is set to "Enforce: Boundary > Policy" OR "Check or Enforce per AWS > Turbot > Permissions" at the account level.

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should not be able to create a S3 bucket in disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x

Scenario 5: Service Hard Boundary on all IAM Roles

With proper exceptions in place if needed, its time to bring all the IAM Roles under the hard boundaries.

Given:

  • The policy AWS > {service} > Enabled is set to Disabled (AWS > S3 > Enabled is Disabled)
  • The policy AWS > {service} > API Enabled is set to Disabled (AWS > S3 > API Enabled is Disabled)

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Zazu should not be able to create S3 bucket.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x

Scenario 6: Exceptions - Turbot SuperUser

The Pride Lands decided to set the hard boundary (regions/services) but want all the SuperUsers like Timon to be exempted.

Given:

  • The policy AWS > Turbot > Permissions > Superuser Boundary is set to No boundary.

Expected result:

  • The AWS/SuperUser should not have any hard boundaries applied.

While hard boundaries include only service-level API whitelist and region whitelist policies. Turbot also defines soft restrictions on services and regions, as well as specific instance types and api operations. Turbot can attach lockdown policies on all users and roles except the Turbot service role and Superuser.

Scenario 7: Region Soft Lockdown

The Pride Lands decided to enable only specific regions likely us-east-1, ap-south-1 but allow Turbot and SuperUsers to be able to access all the regions.

Given:

  • Leave the AWS > Turbot > Permissions > Lockdown > Region Boundary policy at the default value(- '*').
  • The policy AWS > Turbot > Permissions > Lockdown > Regions is set to include only the regions to be enabled. In this case, it is the us-east-1 and ap-south-1 regions.

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser) should be able to create S3 bucket in disabled regions as well.
  • Pumbaa(as AWS/Admin) and Baampu(as AWS/S3/Admin) should not be able to create a S3 bucket in disabled regions.
  • Zazu should be able to create the S3 bucket in enabled and disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x x

Scenario 8: Service Soft Lockdown

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) from usage for everyone except Turbot and SuperUsers.

Given:

  • The policy AWS > {service} > Enabled is set to Disabled (AWS > S3 > Enabled is Disabled).
  • The policy AWS > {service} > API Enabled is set to Enabled (AWS > S3 > API Enabled is Enabled)

Expected result:

  • Timon(as AWS/SuperUser) should be able to create S3 bucket.
  • Pumbaa(as AWS/Admin) should not be able to create S3 bucket.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x x

Further, The Pride Lands want the soft lockdowns to be applied on non-Turbot managed roles as well.

However, if Turbot Service Role is also restricted then Turbot can no longer discover the AWS resources in the disabled regions/services.

Soft lockdowns should not be applied to Turbot by design but the implementation applies them.

Scenario 9: Exceptions - Soft Lockdown

The Pride Lands decided to set soft lockdown on all the roles except a certain role.

Given:

  • The policy AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown is set to Disabled for the role.

Expected result:

  • The role should not have any lockdown policy restrictions.

Scenario 10: Region Soft Lockdown on all IAM Roles

With proper exceptions in place (if needed), The Pride Lands decided to enforce lockdown policies on all IAM Roles (Turbot Managed and non-Turbot Managed).

Given:

  • Leave the AWS > Turbot > Permissions > Lockdown > Region Boundary policy at the default value(- '*').
  • Edit the AWS > Turbot > Permissions > Lockdown > Regions policy to only include the regions to be enabled. In this case, it is the us-east-1 and ap-south-1 regions.
  • The policy AWS > IAM > Role > Policy Attachments > Required is set to Enforce: Required > Items.
  • the policy AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown is set to Enabled

Expected result:

  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should be able to create a S3 bucket in enabled regions.
  • Timon(as AWS/SuperUser), Pumbaa(as AWS/Admin), Baampu(as AWS/S3/Admin) and Zazu should not be able to create a S3 bucket in disabled regions.

Summary:

User/CreateBucket Enabled Regions Disabled Regions
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Baampu (AWS/S3/Admin) x
Zazu (majordomo_role) x

Scenario 11: Service Soft Lockdown on all IAM Roles - Broken as of now! John/Abhi to redesign.

The Pride Lands decided to disable a specific AWS Service (For example: AWS S3) for everyone including non-Turbot roles.

Given:

  • Set AWS > {service} > Enabled to Disabled (AWS > S3 > Enabled is Disabled).
  • Set AWS > {service} > API Enabled to Enabled (AWS > S3 > API Enabled is Enabled)
  • Set AWS > IAM > Role > Policy Attachments > Required to Enforce: Required > Items.
  • Set AWS > IAM > Role > Policy Attachments > Required > Turbot Lockdown to Enabled

Expected result:

  • Timon(as AWS/SuperUser) should be able to create S3 bucket.
  • Pumbaa(as AWS/Admin) should not be able to create S3 bucket.
  • Since S3 service is disabled, the permission AWS/S3/Admin gets deleted and you should no longer see AWS/S3/Admin assigned to Baampu on Turbot UI.

Summary:

User/Access Enabled Services Disabled Services
Timon (AWS/SuperUser) x
Pumbaa (AWS/Admin) x
Zazu (majordomo_role) x

Scenario 12: Customization - Hard Boundary

The Pride Lands decided to set hard boundary, but want to use their own boundary policy instead of using Turbot's boundary policy.

Given:

  • Set the AWS > IAM > User > Boundary > Policy and AWS > IAM > Role > Boundary > Policy policies to the name of your boundary policy.

Note that the Turbot Region Boundary and API Enabled policies will have a no effect if you do not apply Turbot's boundary policy Your policy must exist - it will be be created by this policy. You can use the AWS > Account > Stack to manage this policy if you desire.

Expected result:

  • For cases applicable, the boundaries should be applied and instead of Turbot Boundary Policy, the custom boundary policy should be applied to all the roles/users.

Scenario 13: Customization - Self Managed Services

The Pride Lands decided to explore a new service that Turbot does not support yet or a service for which the mod is not installed on the workspace. The Pride Lands want Turbot to allow this API service in both boundary and lockdown.

Given:

  • Set the APIS to the AWS > Turbot > Permissions > Lockdown > API Boundary policy.

Expected result:

  • The service API should be exempted from both boundary and lockdown policies.