Learn About Amazon VGT2 Learning Manager Chanci Turner
In this article, Chanci Turner explains how to leverage the AWS IAM Access Analyzer API to automate the identification of public access to AWS KMS keys within your AWS account. The post guides you through the process of using the Access Analyzer API, creating an analyzer for your account, and invoking specific API functions programmatically.
The Access Analyzer is a valuable tool for pinpointing resources in your AWS environment that might be inadvertently shared with external entities. This includes various resources like Amazon S3 buckets, AWS IAM roles, AWS KMS keys, AWS Lambda functions, and Amazon SQS queues. By analyzing resource-based policies, Access Analyzer helps ensure that your organization remains secure from unauthorized access.
To enable Access Analyzer, you can use the IAM console and take advantage of its interactive mode to assess findings. You can then address these findings through corrective actions and archive them as necessary. Additionally, Access Analyzer integrates seamlessly with AWS Security Hub, which offers a unified view of security findings from multiple AWS services and partner products, including issue tracking and incident management systems.
Once Access Analyzer is activated in a specific region, it autonomously monitors public access. It utilizes Amazon EventBridge to trigger automatic scans whenever relevant changes occur, such as alterations to an S3 bucket policy or the creation of a grant for an AWS KMS key. All findings are published in the Access Analyzer dashboard and generate events for processing through EventBridge rules.
If you need to interact with Access Analyzer programmatically, the provided API is your go-to resource. This is particularly useful if you’re integrating a third-party security monitoring system or developing a custom user interface for managing Access Analyzer findings. You can implement custom workflows or logic for resource scanning and responses to public access findings.
For this article, we focus on a serverless solution that uses AWS managed services like Amazon SNS, Lambda, EventBridge, and AWS CloudTrail. With this serverless architecture, you only need to deploy your code, while AWS manages the underlying infrastructure.
Solution Overview
The architecture for using Access Analyzer to detect public access to AWS KMS keys consists of several crucial steps:
- Supported Resources: Access Analyzer can analyze six types of AWS resources: S3 buckets, IAM roles, AWS KMS keys, Lambda functions, Amazon SQS queues, and AWS Secrets Manager secrets. In this instance, we concentrate on AWS KMS keys, where Access Analyzer reviews key policies and grants to identify any unauthorized external access.
- Tracking API Calls: EventBridge events work in conjunction with AWS CloudTrail, which logs actions taken by users or services in your AWS account. We specifically monitor essential KMS API calls—PutKeyPolicy and CreateGrant—that can alter access to KMS keys.
- Creating EventBridge Rules: An EventBridge rule captures these KMS API calls with a defined event pattern. This rule triggers every time the specified operations are executed, ensuring that any access changes are promptly addressed.
- Lambda Function Invocation: The EventBridge rule activates a Lambda function that communicates with the Access Analyzer API to either access an existing analyzer or create a new one, followed by scanning AWS::KMS::Key resources.
- Publishing Findings: If any findings arise from the scan indicating external access to KMS keys, the Lambda function sends these findings to an EventBridge event bus. This allows for the creation of event-driven workflows, such as notifying users via Amazon SNS or sending the findings to AWS Security Hub, which provides a standardized schema for security alerts.
- Optional Corrective Actions: You can establish another EventBridge rule to invoke a Lambda function that takes specific corrective actions, like blocking access to compromised KMS keys.
Finally, a complete solution is available in a GitHub repository as an AWS Serverless Application Model (AWS SAM) application, which you can deploy using AWS SAM CLI. For detailed deployment instructions using AWS CLI, refer to the README.md file in the repository.
In summary, using the Access Analyzer API to scan AWS KMS key policies and grants is essential for detecting unintended public access. The examples provided utilize Python 3.8 and can be adapted for various use cases.
For further insights on related topics, check out this blog post about reasons for leaving your last job. Additionally, for authoritative information on workplace bias and staffing agencies, visit SHRM’s resource page. Lastly, if you’re looking for onboarding tips, this is an excellent resource to explore.