Ermetic has created a free open source application for handling AccessDenied Events in Amazon Web Services (AWS) that automates the time-consuming troubleshooting and modification of cloud access policies.
Access Undenied on AWS examines AWS CloudTrail AccessDenied events, scans the environment for causes and explanations, and provides actionable least-privilege remediation recommendations. Noam Daham, Ermetic’s research lead, is in charge of the project.
“Even if you know the policy type causing ‘access denied’, which isn’t always the case, you still need to find the policy and the statement inside the policy causing the denial, and replace it with a least-privilege alternative,” Noam Dahan. “Basically, you give the Access Undenied on AWS tool a CloudTrail event with an “Access Denied” outcome, and it will tell you how to fix it!”
Access Undenied on AWS handles some of the most difficult Access Denied issues that DevOps and security teams face on a regular basis, such as:
- Some AccessDenied messages continue to be vague. S3, IAM, STS, CloudWatch, EFS, DynamoDB, Redshift, Opensearch, and ACM are among the services for which some, if not all, messages are lacking in depth.
- Users may have difficulties tracking down the precise policy and statement that created the explicit deny when the reason for AccessDenied is an explicit deny. It’s especially difficult to discover and review every policy in the organisation that applies to the account when the cause is an explicit deny in a service control policy (SCP).
- Meanwhile, even when the issue is a missing allow statement, creating a least-privilege policy that permits the needed access without granting excessive rights might be difficult.
Access Undenied on AWS is now available and supports policies for a variety of resources and condition keys. This open source project also welcomes community contributions in the form of new issues in the repository.
