AWS Security Blog

IAM Access Analyzer makes it easier to implement least privilege permissions by generating IAM policies based on access activity

In 2019, AWS Identity and Access Management (IAM) Access Analyzer was launched to help you remove unintended public and cross account access by analyzing your existing permissions. In March 2021, IAM Access Analyzer added policy validation to help you set secure and functional permissions during policy authoring. Now, IAM Access Analyzer takes that a step further and generates policies for you. You can now use IAM Access Analyzer to generate fine-grained policies, based on your access activity in your AWS CloudTrail logs. When you request a policy, IAM Access Analyzer gets to work and identifies your activity from CloudTrail logs to generate a policy. The generated policy grants only the required permissions for your workloads and makes it easier for you to implement least privilege permissions.

As developers, when you build in development environments, you start with broader permissions to experiment and determine the AWS capabilities you need. As your workloads settle, you then need to refine permissions to only those services and actions that are used. This ensures that your policies follow security best practices as you migrate your workloads from development to production environments. Now, you can use IAM Access Analyzer to more easily generate fine-grained policies that grant only the required access. In this post, I’ll give you an overview of how policy generation with IAM Access Analyzer works, and then walk you through the steps to generate, customize, and create a policy.

Overview

To generate a policy, you go to the IAM console and navigate to your application role. From there, you request a policy by specifying a CloudTrail trail and a date range. Then, IAM Access Analyzer gets to work analyzing your CloudTrail logs to generate a policy. After IAM Access Analyzer generates a policy, you can retrieve the policy and customize it. For some services, IAM Access Analyzer identifies actions logged in CloudTrail and generates action-level policies. IAM Access Analyzer also identifies all the services used to guide you to specify the required actions. To refine permissions further, IAM Access Analyzer identifies the actions that support resource-level permissions and provides a template. You can specify the resource ARNs in the template to set resource-level permissions. This makes it easier for you to specify granular permissions that restrict access to specific resources. Generating policies with IAM Access Analyzer is available at no additional cost, and you can use it through the IAM console, or programmatically using the CLI and SDK.

Now, I’ll walk you through an example of how you can use IAM Access Analyzer through IAM console and generate policies for your workloads.

Generate a policy for a role based on its CloudTrail access activity

In this example, a Senior Developer, Sofía Martínez, is building a microservice orchestrator to run an e-commerce web application for Example Corp. Her primary function is to build microservices. For these microservices, she needs to author IAM policies to provide the fine-grained permissions. With an upcoming launch for holiday shopping, Sofía completed development and is now getting ready to launch the application. Specifically, she wants to ensure that the application has only the minimum permissions required. To do this, Sofía uses IAM Access Analyzer to generate a policy and easily grant access to her application role.

To generate a policy in the AWS Management Console

  1. Open the IAM Console, and in the navigation pane choose Roles.
  2. Choose a role to analyze. In this example, Sofía chooses AWS_Test_Role.
  3. Under Generate policy based on CloudTrail events, choose Generate policy, as shown in Figure 1.
     
    Figure 1: Generate policy from the role detail page

    Figure 1: Generate policy from the role detail page

  4. In the Generate policy page, you select the time window for which IAM Access Analyzer will review the CloudTrail logs to create the policy. In this example, Sofía tested the application within the last 15 days, so she chooses that time window, as shown in Figure 2.
     
    Figure 2: Specify the time period

    Figure 2: Specify the time period

  5. If you are using this feature for the first time: for Select trail, you select the trail you want IAM Access Analyzer to review, select Create and use a new service role, then choose Generate policy.

    If you have existing service roles, you select Use an existing service role, select a role from the available options, and choose Generate policy as shown in Figure 3. In the example, Sofía uses an existing service role and chooses Generate policy to start the policy generation.
     

    Figure 3: CloudTrail access

    Figure 3: CloudTrail access

  6. After the policy is ready, you see a notification on the role page. To review the permissions, choose View generated policy, as shown in Figure 4.
     
    Figure 4: Policy generation progress

    Figure 4: Policy generation progress

(Optional) To customize the policy

  1. For some services, on the Generated policy page, you can review a summary of the services and associated actions in the generated policy. In this example, Sofía sees that the application used Amazon Elastic Compute Cloud (Amazon EC2), AWS IAM, AWS Lambda, Amazon Simple Storage Service (Amazon S3), and the associated actions, as shown in Figure 5.
     
    Figure 5: Services and actions in the generated policy

    Figure 5: Services and actions in the generated policy

  2. You can also look at all services used as seen in Figure 6, and select the permissions that your application requires. In this example, Sofía sees that her application used Amazon Simple Queue Service (Amazon SQS) and she knows that her application requires SQS:ReceiveMessage and SQS:SendMessage. She selects the action from the drop down. Figure 6 shows the policy template that helps Sofía specify the required permissions.
     
    Figure 6: Add additional actions based on services used

    Figure 6: Add additional actions based on services used

  3. Next, you review the policy and specify resource-level permissions by replacing placeholders with the resource ARN your application uses. Resource placeholders make it easier for you to specify fine-grained permissions that restrict access to specific resources. This helps you follow security best practices and enables you to specify the exact resources to which you want to grant access, thereby restricting access to just a sub-set of the resources.

    In this example, Sofía notices that EC2:RunInstances accepts resource level information, so she replaces the placeholder with the instance ARN that restricts access to the instance the application uses, as shown in Figure 7.
     

    Figure 7: Customize permissions on the policy

    Figure 7: Customize permissions on the policy

  4. On the Customize generated policy page, after you are done customizing the policy, choose Next to review the policy.

To create and attach the policy

  1. On the Review and create as a customer managed policy page, update the policy name according to your company’s best practices, and review the permission summary. Optionally, you can add a description to define the intent of policy. In this example, Sofía names her policy, and adds a description, as shown in Figure 8.
     
    Figure 8: Review and create policy

    Figure 8: Review and create policy

  2. Choose Create and attach, to attach the policy to the application role.

After the role is created, Sofía can remove any other policies attached to the role and work with fine-grained permissions.

To generate and view policies programmatically

You can use the following IAM Access Analyzer APIs to request and retrieve policies:

  • start-policy-generation: Generates policy for an IAM user or role. Call this API first to start policy generation. Specify the time period for which IAM Access Analyzer should review your CloudTrail logs.
  • get-generated-policy: Call this API to retrieve and view the generated policy.

For more information, see Generate policies based on access activity in the AWS IAM User Guide.

Conclusion

IAM Access Analyzer makes it easier to grant fine-grained permissions to your application roles by generating IAM policies based on your CloudTrail activity. To learn more about how to generate a policy, see Generate policies based on access activity in the AWS IAM User Guide.

If you have feedback about this post, submit comments in the Comments section below. If you have questions about this blog post, start a new thread on the AWS IAM forum or contact AWS Support.

Want more AWS Security how-to content, news, and feature announcements? Follow us on Twitter.

Mathangi Ramesh

Mathangi Ramesh

Mathangi is the product manager for AWS Identity and Access Management. She enjoys talking to customers and working with data to solve problems. Outside of work, Mathangi is a fitness enthusiast and a Bharatanatyam dancer. She holds an MBA degree from Carnegie Mellon University.