Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Overprivilege analysis of IAM policies in arackaf/booklist repository #650

Open
dattapubali opened this issue Jan 29, 2024 · 0 comments
Open

Overprivilege analysis of IAM policies in arackaf/booklist repository #650

dattapubali opened this issue Jan 29, 2024 · 0 comments

Comments

@dattapubali
Copy link

We are submitting this issue to notify you of an IAM policy analysis we conducted based on an October 2021 copy of the arackaf/booklist repository. We recognize that your application has continued to change since then, but wanted to share our results with you.

Analyzing lambda/book-covers/serverless.yml in https://github.com/arackaf/booklist/tree/cacd540, we determined that the provider-level iam.role.statements definition enabled over-privileged access to your dynamodb table and S3 buckets. By looking at the API calls that were actually being made by your application at that time, we determined that the following changes would reduce unnecessary privilege while still permitting the application to function:

Note: the following policy changes use the https://github.com/functionalone/serverless-iam-roles-per-function serverless plugin to create detailed per-function iam policies.

High level overview:
The handler and isbnDbBookCoverLookup functions were granted permission to the My_Library_* dynamodb tables but did not need access. The isbnDbBookCoverLookup and bookRecommendationBadCoverSync functions were granted permission to the S3 buckets, but did not need access. Finally all functions were granted access to the secretsmanager but only the isbnDbBookCoverLookup function needed permission for this resource.


…
functions:
  upload:
    handler: handlerFileUpload.handler
    events:
      - http:
          path: upload
          method: post
          cors: true
    iamRoleStatements:
      - Effect: Allow
        Action:
          - "s3:*"
        Resource:
          - "my-library-cover-upload-staging/*"
          - "my-library-cover-uploads/*"

  uploadFromUrl:
    handler: handlerUrlUpload.handler
    events:
      - http:
          path: uploadFromUrl
          method: post
          cors: true
    iamRoleStatements:
      - Effect: Allow
        Action:
          - "s3:*"
        Resource:
          - "my-library-cover-upload-staging/*"
          - "my-library-cover-uploads/*"
      - Effect: Allow
        Action:
          - dynamodb:Query
          - dynamodb:Scan
          - dynamodb:GetItem
          - dynamodb:PutItem
          - dynamodb:UpdateItem
          - dynamodb:DeleteItem
          - dynamodb:DescribeStream
        Resource: "arn:aws:dynamodb:*:*:table/My_Library_${self:provider.stage}"

  isbnDbBookCoverLookup:
    timeout: 10
    handler: handlerIsbnDbLookup.handler
    events:
      - http:
          path: /isbndb-cover-lookup
          method: post
          cors: true
    iamRoleStatements:
      - Effect: Allow
        Action:
          - "secretsmanager:GetSecretValue"
        Resource: "arn:aws:secretsmanager:us-east-1:*"

  bookRecommendationBadCoverSync:
    timeout: 750
    handler: handlerUpdateSimilarItemsCovers.handler
    events:
      - schedule: rate(24 hours)
    iamRoleStatements:
      - Effect: Allow
        Action:
          - dynamodb:Query
          - dynamodb:Scan
          - dynamodb:GetItem
          - dynamodb:PutItem
          - dynamodb:UpdateItem
          - dynamodb:DeleteItem
          - dynamodb:DescribeStream
        Resource: "arn:aws:dynamodb:*:*:table/My_Library_${self:provider.stage}"
…

Your IAM policy was studied as part of a research project that was conducted jointly by researchers at the North Carolina State University and the University of Illinois at Urbana-Champaign. We developed an algorithm that leveraged graph reachability analysis to inspect privilege in serverless applications. This work has been accepted to appear at the 2024 Web Conference (Paper Title: “GRASP: Hardening Serverless Applications through Graph Reachability Analysis of Security Policies”). We will be discussing the results from our 2021 analysis of your application as part of this work, but will be sure to note that the policy has been updated since then.

We noticed in the current version of the lambda/book-covers/serverless.yml there are fewer functions with different permissions. If you’d like, we’d be happy to update our analysis to reflect the present state of your application. Do let us know if you have any thoughts or feedback.

Best,
Pubali Datta (co-authors: Isaac Polinsky, Adam Bates, Will Enck)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dattapubali