Versions Compared

Old Version 4

changes.mady.by.user Paul Allen

Saved on

compared with

New Version 5

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Under Active findings, use the menu integrated into the filter to search for Resource: example-role-NETID
    1. Be sure to use the pull-down menu in the search field to select Resource
    2. Enter example-role-NETID, replacing NETID with your own Cornell NetId (e.g., example-role-pea1)
    3. Hit "enter" on your keyboard to trigger the actual search.
  2. Your search should result in one Finding that matches. Click on the Finding ID for that record to drill into the finding details.
  3. Note the finding details:
    • External principal (IAM Role): arn:aws:iam::2251********:role/bad-actor
    • Access levelsts:AssumeRole
    • This (info) This indicates that our role (example-role-NETID) allows the bad-actor role from a different account to assume it. Those permissions are defined by the Trust Policy in our role.Note
Note

Note that the bad-actor Role didn't have anything to do with our creation of the example-role-NETID Role in our account and trusting the bad-actor Role. Someone (or something) with appropriate IAM privileges to our account is the only way that example-role-NETID was created or configured.

...

  1. Back on the details page for your finding, click on the Go to IAM console button to see the role details in IAM.
  2. Click on the Trust relationships tab and note that the role does indeed trust arn:aws:iam::2251********:role/bad-actor
  3. Click on the Delete role button, and confirm by clicking Yes, delete.
  4. (error) RESCAN (error) 

Part 2 – Archive a Finding

...

In this exercise, you will use Access Analyzer to archive a finding allowing public access to an S3 bucket. This indicates one-time review and approval for that access.

We have prepared the cu-training AWS account with S3 buckets named my-public-web-site-NETID. We used these same publicly readble buckets in AWS Config - Hands-on Exercise. 

Part 2A – Login an get to Access Analyzer

  1. If you aren't logged in to the cu-training account with role shib-training, follow the instructions in Part 1A above to login and navigate to the Access Analyzer console.

Part 2B - Find the Finding for "your" S3 bucket

  1. Under Active findings, use the menu integrated into the filter to search for Resourcemy-public-web-site-NETID
    1. Be sure to use the pull-down menu in the search field to select Resource
    2. Enter my-public-web-site-NETID, replacing NETID with your own Cornell NetId (e.g., my-public-web-site-pea1)
    3. Hit "enter" on your keyboard to trigger the actual search.
  2. Your search should result in one Finding that matches. Click on the Finding ID for that record to drill into the finding details.
  3. Note the finding details:
    • External principal: All Principals
    • Access level

      • s3:ListBucket

      • s3:ListBucketMultipartUploads

      • s3:ListBucketVersions

    • (info) This indicates that our bucket is publicly readable, though it is possible that not all objects within the bucket are public.

Part 2C - Archive the Finding

In this exercise scenario, we have decided that it is indeed our intention that my-public-web-site-NETID be publicly readable. Therefore we just need to tell Access Analyzer that this is intended access.

  1. Under Nest steps click on the Archive button.
  2. If you wish, you can now navigate back to the main Access analyzer page, and click on the Archived tab to search for your S3 bucket and confirm that the related finding is indeed archived.

(info) Archiving a finding is basically telling Access Analyzer that we have review the finding and that we accept the current access that is being allowed for the resource.