AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Permissions leading to Data Exfiltration
More Info:
Data exfiltration is defined as when an authorized person extracts data from the secured systems where it belongs, and either shares it with unauthorized third parties or moves it to insecure systems. Authorized persons include employees, system administrators, and trusted users. Data exfiltration can occur due to the actions of malicious or compromised actors, or accidentally
Risk Level
High
Address
Security
Compliance Standards
CISGCP,HIPAA,SCO2,NISTCSF,NIST,AWSWAF,ISO27001,HITRUST,CBP
Triage and Remediation
Remediation
To remediate the permissions leading to data exfiltration in AWS IAM, follow these steps using the AWS Management Console:
- Sign in to the AWS Management Console.
- Open the IAM console.
- Navigate to the “Policies” section in the left-hand menu.
- Identify the policy that grants excessive permissions and may lead to data exfiltration. This could be a custom policy or an AWS managed policy.
- Click on the policy to view its details.
- Review the policy document to understand the permissions it grants and identify the specific actions that need to be revoked or restricted.
- Click on the “Edit policy” button to modify the policy.
- Update the policy document to remove or restrict the excessive permissions. You can either remove the entire statement granting the permission or modify it to restrict the resource or actions allowed.
- Review the changes to ensure that the policy now adheres to the principle of least privilege, granting only the necessary permissions.
- Click on the “Review policy” button to validate the changes made to the policy.
- Review the summary of changes and ensure that the policy is now correctly configured.
- Click on the “Save changes” button to apply the modified policy.
Once the policy is updated, the users or roles associated with the policy will have their permissions restricted according to the changes made. This will help mitigate the risk of data exfiltration resulting from excessive permissions.
Remember to regularly review and audit your IAM policies to ensure that they continue to adhere to the principle of least privilege and align with your organization’s security requirements.
Remediating all the listed exfiltration actions in AWS using the AWS CLI involves adjusting or restricting permissions for the associated IAM policies and resource policies. Below are examples of how you can remediate each of the specified actions:
-
dynamodb:BatchExecuteStatement:
- Review and adjust IAM policies for the user or role to remove or restrict the
dynamodb:BatchExecuteStatementaction. Useaws iamcommands to modify the associated policies.
- Review and adjust IAM policies for the user or role to remove or restrict the
-
dynamodb:BatchGetItem:
- Similarly, review and adjust IAM policies to remove or restrict the
dynamodb:BatchGetItemaction.
- Similarly, review and adjust IAM policies to remove or restrict the
-
dynamodb:GetItem:
- Modify IAM policies to remove or restrict
dynamodb:GetItem.
- Modify IAM policies to remove or restrict
-
dynamodb:TransactGetItems:
- Update IAM policies to remove or restrict the
dynamodb:TransactGetItemsaction.
- Update IAM policies to remove or restrict the
-
ec2:AttachVolume:
- Review and modify the IAM policies associated with EC2 instances or roles to remove or restrict the
ec2:AttachVolumeaction.
- Review and modify the IAM policies associated with EC2 instances or roles to remove or restrict the
-
ec2:CopySnapshot:
- Adjust IAM policies related to EC2 instances to remove or restrict the
ec2:CopySnapshotaction.
- Adjust IAM policies related to EC2 instances to remove or restrict the
-
ec2:CreateReplaceRootVolumeTask:
- Modify IAM policies for EC2 to remove or restrict the
ec2:CreateReplaceRootVolumeTaskaction.
- Modify IAM policies for EC2 to remove or restrict the
-
ec2:CreateSnapshot:
- Update IAM policies related to EC2 to remove or restrict the
ec2:CreateSnapshotaction.
- Update IAM policies related to EC2 to remove or restrict the
-
ec2:CreateSnapshots:
- Modify IAM policies for EC2 to remove or restrict the
ec2:CreateSnapshotsaction.
- Modify IAM policies for EC2 to remove or restrict the
-
ec2:CreateTags:
- Review and adjust IAM policies associated with EC2 to remove or restrict the
ec2:CreateTagsaction.
- Review and adjust IAM policies associated with EC2 to remove or restrict the
-
ec2:CreateVolume:
- Modify IAM policies for EC2 to remove or restrict the
ec2:CreateVolumeaction.
- Modify IAM policies for EC2 to remove or restrict the
-
ec2:DetachVolume:
- Update IAM policies related to EC2 to remove or restrict the
ec2:DetachVolumeaction.
- Update IAM policies related to EC2 to remove or restrict the
-
ec2:ModifySnapshotAttribute:
- Adjust IAM policies for EC2 to remove or restrict the
ec2:ModifySnapshotAttributeaction.
- Adjust IAM policies for EC2 to remove or restrict the
-
ec2:ModifySnapshotTier:
- Review and modify IAM policies related to EC2 to remove or restrict the
ec2:ModifySnapshotTieraction.
- Review and modify IAM policies related to EC2 to remove or restrict the
-
ec2:ModifyVolume:
- Modify IAM policies for EC2 to remove or restrict the
ec2:ModifyVolumeaction.
- Modify IAM policies for EC2 to remove or restrict the
-
ec2:ModifyVolumeAttribute:
- Update IAM policies associated with EC2 to remove or restrict the
ec2:ModifyVolumeAttributeaction.
- Update IAM policies associated with EC2 to remove or restrict the
-
ec2:ResetSnapshotAttribute:
- Review and adjust IAM policies related to EC2 to remove or restrict the
ec2:ResetSnapshotAttributeaction.
- Review and adjust IAM policies related to EC2 to remove or restrict the
-
ec2:RestoreSnapshotFromRecycleBin:
- Modify IAM policies for EC2 to remove or restrict the
ec2:RestoreSnapshotFromRecycleBinaction.
- Modify IAM policies for EC2 to remove or restrict the
-
ec2:RestoreSnapshotTier:
- Review and modify IAM policies associated with EC2 to remove or restrict the
ec2:RestoreSnapshotTieraction.
- Review and modify IAM policies associated with EC2 to remove or restrict the
-
iam:GetUser:
- Modify IAM policies to remove or restrict the
iam:GetUseraction.
- Modify IAM policies to remove or restrict the
-
kms:Decrypt:
- Review and adjust the Key Policy for the KMS key to remove or restrict the
kms:Decryptaction usingaws kms.
- Review and adjust the Key Policy for the KMS key to remove or restrict the
-
rds:CopyDBClusterSnapshot:
- Adjust IAM policies related to RDS to remove or restrict the
rds:CopyDBClusterSnapshotaction.
- Adjust IAM policies related to RDS to remove or restrict the
-
rds:CopyDBSnapshot:
- Modify IAM policies for RDS to remove or restrict the
rds:CopyDBSnapshotaction.
- Modify IAM policies for RDS to remove or restrict the
-
rds:CreateDBClusterSnapshot:
- Review and adjust IAM policies associated with RDS to remove or restrict the
rds:CreateDBClusterSnapshotaction.
- Review and adjust IAM policies associated with RDS to remove or restrict the
-
rds:CreateDBInstanceReadReplica:
- Update IAM policies related to RDS to remove or restrict the
rds:CreateDBInstanceReadReplicaaction.
- Update IAM policies related to RDS to remove or restrict the
-
rds:CreateDBSnapshot:
- Modify IAM policies for RDS to remove or restrict the
rds:CreateDBSnapshotaction.
- Modify IAM policies for RDS to remove or restrict the
-
rds:ModifyDBCluster:
- Review and adjust IAM policies associated with RDS to remove or restrict the
rds:ModifyDBClusteraction.
- Review and adjust IAM policies associated with RDS to remove or restrict the
-
rds:ModifyDBClusterSnapshotAttribute:
- Adjust IAM policies related to RDS to remove or restrict the
rds:ModifyDBClusterSnapshotAttributeaction.
- Adjust IAM policies related to RDS to remove or restrict the
-
rds:ModifyDBInstance:
- Update IAM policies related to RDS to remove or restrict the
rds:ModifyDBInstanceaction.
- Update IAM policies related to RDS to remove or restrict the
-
rds:ModifyDBSnapshot:
- Modify IAM policies for RDS to remove or restrict the
rds:ModifyDBSnapshotaction.
- Modify IAM policies for RDS to remove or restrict the
-
rds:ModifyDBSnapshotAttribute:
- Review and adjust IAM policies associated with RDS to remove or restrict the
rds:ModifyDBSnapshotAttributeaction.
- Review and adjust IAM policies associated with RDS to remove or restrict the
-
rds:ModifyGlobalInstance:
- Update IAM policies related to RDS to remove or restrict the
rds:ModifyGlobalInstanceaction.
- Update IAM policies related to RDS to remove or restrict the
-
rds:Select:
- Modify IAM policies for RDS to remove or restrict the
rds:Selectaction.
- Modify IAM policies for RDS to remove or restrict the
-
s3:CopyObject:
- Review and adjust S3 bucket policies to remove or restrict the
s3:CopyObjectaction usingaws s3api.
- Review and adjust S3 bucket policies to remove or restrict the
-
s3:GetBucketTagging:
- Modify S3 bucket policies to remove or restrict the
s3:GetBucketTaggingaction usingaws s3api.
- Modify S3 bucket policies to remove or restrict the
-
s3:GetObject:
- Review and adjust S3 bucket policies to remove or restrict the
s3:GetObjectaction usingaws s3api.
- Review and adjust S3 bucket policies to remove or restrict the
-
s3:HeadBucket:
- Update S3 bucket policies to remove or restrict the
s3:HeadBucketaction usingaws s3api.
- Update S3 bucket policies to remove or restrict the
-
s3:HeadObject:
- Adjust S3 bucket policies to remove or restrict the
s3:HeadObjectaction usingaws s3api.
- Adjust S3 bucket policies to remove or restrict the
-
s3:PutBucketPolicy:
- Review and modify S3 bucket policies to remove or restrict the
s3:PutBucketPolicyaction usingaws s3api.
- Review and modify S3 bucket policies to remove or restrict the
-
s3:PutObjectAcl:
- Modify S3 bucket policies to remove or restrict the
s3:PutObjectAclaction usingaws s3api.
- Modify S3 bucket policies to remove or restrict the
-
s3:RestoreObject:
- Update S3 bucket policies to remove or restrict the
s3:RestoreObjectaction usingaws s3api.
- Update S3 bucket policies to remove or restrict the
-
s3:SelectObjectContent:
- Adjust S3 bucket policies to remove or restrict the
s3:SelectObjectContentaction usingaws s3api.
- Adjust S3 bucket policies to remove or restrict the
-
secretsmanager:GetSecretValue:
- Modify Secrets Manager resource policies to remove or restrict the
secretsmanager:GetSecretValueaction usingaws secretsmanager.
- Modify Secrets Manager resource policies to remove or restrict the
-
ssm:GetParameter:
- Update IAM policies or parameter policies in SSM to remove or restrict the
ssm:GetParameteraction usingaws ssm.
- Update IAM policies or parameter policies in SSM to remove or restrict the
-
ssm:GetParameters:
- Modify IAM policies or parameter policies in SSM to remove or restrict the
ssm:GetParametersaction usingaws ssm.
- Modify IAM policies or parameter policies in SSM to remove or restrict the
-
ssm:GetParametersByPath:
- Adjust IAM policies or parameter policies in SSM to remove or restrict the
ssm:GetParametersByPathaction usingaws ssm.
- Adjust IAM policies or parameter policies in SSM to remove or restrict the
Please replace placeholders such as <RoleName>, <BucketName>, <KeyId>, and <SecretId> with the actual resource names in your AWS environment. Always test policy changes in a safe environment to avoid unintended access issues.
Remediating the specified exfiltration actions in AWS using Python involves making API calls to modify the necessary policies and permissions. You can use the AWS SDK for Python (Boto3) to interact with AWS services and implement the remediation steps. Below, is provided a general outline of how to remediate some of the actions with Python scripts. You can adapt these examples for your specific use case.
Make sure you have the Boto3 library installed (pip install boto3) and configured with the necessary AWS credentials before running the scripts.
Note: The following examples provide a high-level overview, and you should tailor them to your specific needs.
-
IAM Policies and Permissions:
To remediate IAM-related actions, you can use Boto3 to update IAM policies. Here’s an example of how to remove a permission from an IAM policy:
import boto3 iam = boto3.client('iam') policy_name = "YourPolicyName" policy_document = { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:BatchExecuteStatement", "Resource": "*" }, # Other statements... ] } iam.put_group_policy( GroupName="YourGroupName", PolicyName=policy_name, PolicyDocument=json.dumps(policy_document) )Modify the
policy_documentto suit your specific needs. -
S3 Bucket Policies:
To remediate S3-related actions, you can use Boto3 to update S3 bucket policies. Here’s an example to deny
s3:CopyObject:import boto3 s3 = boto3.client('s3') bucket_name = "YourBucketName" policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "s3:CopyObject", "Resource": f"arn:aws:s3:::{bucket_name}/*", "Principal": "*" }, # Other statements... ] } s3.put_bucket_policy(Bucket=bucket_name, Policy=json.dumps(policy))Adjust the
policyto match your requirements. -
KMS Key Policies:
To remediate KMS-related actions, you can use Boto3 to adjust the KMS key policy. Here’s an example to deny
kms:Decrypt:import boto3 kms = boto3.client('kms') key_id = "YourKMSKeyID" policy = { "Sid": "DenyDecrypt", "Effect": "Deny", "Principal": "*", "Action": "kms:Decrypt", "Resource": f"arn:aws:kms:us-east-1:123456789012:key/{key_id}" } kms.put_key_policy( KeyId=key_id, PolicyName="default", Policy=json.dumps(policy) )Customize the
policyto meet your needs. -
RDS Security Groups and Network ACLs:
To remediate RDS-related actions, you can use Boto3 to modify security group rules or network ACLs. These scripts can be more complex and require fetching existing rules and updating them. The exact code will depend on your specific requirements.
-
Secrets Manager and Parameter Store:
To remediate actions related to Secrets Manager and Parameter Store, you can use Boto3 to adjust access policies. For Secrets Manager, you can use
secretsmanagerand for Parameter Store, you can usessm.For example, to deny
secretsmanager:GetSecretValue:import boto3 secrets_manager = boto3.client('secretsmanager') secret_id = "YourSecretID" resource_policy = { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": "secretsmanager:GetSecretValue", "Resource": f"arn:aws:secretsmanager:us-east-1:123456789012:secret:{secret_id}", "Principal": "*" }, # Other statements... ] } secrets_manager.put_resource_policy( SecretId=secret_id, ResourcePolicy=json.dumps(resource_policy) )Modify the
resource_policyas needed.
These are just starting points for remediating the specified actions using Python. The actual implementation will depend on your specific AWS environment and requirements. Always test remediation scripts in a safe environment and follow best practices for security and policy management.
.