Versions Compared

Old Version 7

changes.mady.by.user Paul Allen

Saved on

compared with

New Version Current

changes.mady.by.user Paul Allen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

This hands-on exercise shows how to find non-compliant resources in AWS Config and how to whitelist them for Configreview IAM Access Analyzer Findings and take actions with those findings.

Part 1 – Remove Outside Access to a Resource

...

We have prepared the cu-training AWS account with roles named example-role-NETID, one role for each of the training participants.

...

Note

Note that the bad-actor Role didn't have anything to do with our creation of the example-role-NETID Role in our account and trusting the bad-actor Role. Someone (or something) with appropriate IAM privileges to our account is the only way that example-role-NETID was created or configured.

Part 1C – Remove access by the bad-actor Role

Note

Just because a Role within your AWS account trusts IAM Roles or Users from another account, doesn't mean that access is inappropriate or unnecessary. Cross-account access is perfectly fine and often necessary. For example, that is how CloudCheckr accesses our Cornell AWS accounts to do the information gathering it does to provide its services to Cornell.

...

  1. Repeat the steps in Part 1B to find the Finding about "your" example-role-NETID Role.
  2. Drill into the finding details.
  3. Click on Rescan to tell Access Analyzer to review the Finding and check whether the access still exists.
    • If the access remains unchanged, so will the Finding details.
    • If you have successfully deleted "your" example-role-NETID Role, or changed the trust policy so that it no longer trusts the bad-actor Role, then the status of the Finding will be changed to (tick) ResolvedResolved.

Part 2 – Archive a Finding

...

In this exercise, you will use Access Analyzer to archive a finding allowing public access to an S3 bucket. This indicates one-time review and approval for that access.

We have prepared the cu-training AWS account with S3 buckets named my-public-web-site-NETID, one bucket for each participant. We used these same publicly readble buckets readable buckets in AWS Config - Hands-on Exercise

Part 2A – Login an get to Access Analyzer

...

In this exercise scenario, we have decided that it is indeed our intention that my-public-web-site-NETID be publicly readable. Therefore we just need to tell Access Analyzer that this is intended access.

  1. Under Nest Next steps click on the Archive button.
    • The status of the Finding will turn to Archived.
  2. If you wish, you can now navigate back to the main Access analyzer page , and click on the Archived tab to search for your S3 bucket and confirm that the related finding is indeed archived.

...