Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature requests: flag principals with the permission policy "ReadOnlyAccess" #1577

Open
rdegraaf opened this issue Oct 12, 2023 · 3 comments
Open

Feature requests: flag principals with the permission policy "ReadOnlyAccess" #1577

rdegraaf opened this issue Oct 12, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@rdegraaf
Copy link

Is your feature request related to a problem? Please describe.

Use of the AWS-managed permission policy "ReadOnlyAccess" is not necessarily a problem: it has completely valid uses. However, many administrators don't fully appreciate what it can do and give it out too freely. A principal with ReadOnlyAccess can read nearly everything in an account. This includes the ability to:

  • Get configuration for just about everything.
  • Read anything from any S3 Bucket (s3:GetObject, s3:GetObjectVersion, s3:GetObjectTorrent).
  • Read anything from any DynamoDB table (dynamodb:GetItem, dynamodb:BatchGetItem).
  • Read query logs from RDS (rds:DownloadCompleteDBLogFile, rds:DownloadDBLogFilePortion).
  • Retrieve EC2 Instance metadata, including user data (ec2:DescribeInstanceAttribute).
  • Read system console output from running EC2 Instances (ec2:GetConsoleOutput).
  • Take screen captures from running EC2 Instances (ec2:GetConsoleScreenshot).
  • Retrieve encrypted administrator passwords for EC2 Instances running Windows (ec2:GetPasswordData).
  • Retrieve environment variables for Lambda Functions (lambda:GetFunction, lambda:GetFunctionConfiguration).
  • Read Lambda Function source code (lambda:GetFunction, lambda:GetLayerVersion).
  • Retrieve parameters from SSM Parameter Stores (ssm:GetParameter, ssm:GetParameters, ssm:GetParameterHistory).

Notably, ReadOnlyAccess does not include the ability to read Secrets from Secrets Manager. However, we all know that secrets are often found in inappropriate places like source code, S3 objects, Lambda Function environment variables, SSM Parameter Stores, and EC2 Instance user data, all of which are accessible using ReadOnlyAccess.

Some administrators combine ReadOnlyAccess with Deny statements to prevent principals from reading certain sensitive data. However, these deny-lists often have problems, as discussed in #1576.

Describe the solution you'd like

ScoutSuite should flag principals with the permission policy ReadOnlyAccess attached so that a reviewer can verify that they are appropriate given the account's access control regime and requirements.
@rdegraaf rdegraaf added the enhancement New feature or request label Oct 12, 2023
@issabayevmk
Copy link

Can someone assign this issue to me, I would like to contribute

@rdegraaf
Copy link
Author

@issabayevmk I don't have permission to assign issues, but you don't need it to be assigned to contribute -- you can fork the repository into your own account, make the changes there, and submit a merge request. I do have ways to poke the lead devs once your MR is ready.

With you having declared your interest here, it's safe to say that no one else will attempt to start on this issue any time soon.

@issabayevmk
Copy link

PR is here #1638

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rdegraaf @issabayevmk