Slauth.io - The IAM Copilot's blog

Auto-generate secure IAM policies for AWS and GCP by scanning your code repo

Auto-generate secure IAM policies for AWS and GCP by scanning your code repo

Daniel Haven's photo
Daniel Haven
·

4 min read

Hello, we're Daniel and Bruno from Slauth.io, and we're thrilled to introduce an awesome solution that automates the generation of secure IAM policies by scanning your code. Development teams rely on us to automate IAM Policy creation (Save about ~1 hour of manual IAM policy creation) and minimize the deployment of overly permissive policies (aka wildcards wink wink).

Slauth.io CLI in your CI/CD - Watch Video

Solving the Over-Permissiveness Dilemma

Our journey with IAM Policy Copilot began when numerous CISOs highlighted a persistent issue – despite the visibility provided by security platforms like Wiz.io, Tenable, and AWS Access Analyzer, the prevalence of over-permissive policies remained unchanged. After interviewing hundreds of developers and DevOps professionals, we discovered two key pain points:

  1. IAM is a Hassle: Developers despise dealing with IAM intricacies.

  2. Speed vs. Security: IAM was slowing them down in deploying quality code swiftly.

Interestingly, developers admitted to spending valuable time manually crafting IAM policies. That's when the idea struck us – why not automate this process?

Our vision is to seamlessly manage the creation of secure "least-privilege" policies, making it as inherent as deploying with serverless configurations.

(Source: Strong DM)

How It Works

We employ Large Language Models (currently OpenAI GPT-4) to scan code in any language. Through a series of prompts, we identify service calls, the actions required, and offer a dropdown list of available resource names fetched from your AWS environment. If you prefer not to connect to AWS, a placeholder is provided when the resource name is not presented in the code.

(Example of auto-generate policy)

Detected Policies:
[
  {
    "Version": "2012-10-17",
    "Id": "S3Policy",
    "Statement": [
      {
        "Sid": "S3Permissions",
        "Effect": "Allow",
        "Action": [
          "s3:PutObject",
          "s3:GetBucketAcl"
        ],
        "Resource": [
          "<S3_BUCKET_PLACEHOLDER>",
          "<S3_BUCKET_1_PLACEHOLDER>",
          "arn:aws:s3:::my_bucket_2/*"
        ]
      }
    ]
  },
  {
    "Version": "2012-10-17",
    "Id": "DynamoDBPolicy",
    "Statement": [
      {
        "Sid": "DynamoDBPermissions",
        "Effect": "Allow",
        "Action": [
          "dynamodb:PutItem"
        ],
        "Resource": [
          "<DYNAMODB_TABLE_PLACEHOLDER>"
        ]
      }
    ]
  },
  {
    "Version": "2012-10-17",
    "Id": "SQSPolicy",
    "Statement": [
      {
        "Sid": "SQSPermissions",
        "Effect": "Allow",
        "Action": [
          "sqs:SendMessage"
        ],
        "Resource": [
          "<SQS_QUEUE_URL_PLACEHOLDER>"
        ]
      }
    ]
  }
]

Addressing Common Questions

Despite positive feedback from cloud engineers, we often encounter three recurring questions:

  1. Security Concerns: How can I trust Slauth.io to access my source code?

  2. Policy Accuracy: How can I trust Slauth.io creates the right policies?

  3. Differentiation: How are you different from IAMLive, IAMBic AccessAnalyzer, Policy Sentry, or Wiz.io?

Trusting Slauth.io

To address the first concern, we don't access your code directly. Instead, we offer a CLI that integrates into your CI/CD pipeline, allowing local code scanning. Slauth.io uses your OpenAI key to convert the code into a secure policy, with the option to output results to stdout or a file for artefact upload and download.

Policy Accuracy Assurance

We aim to implement features like the AWS policy simulator, plain English explanations of service intent, and recommendations to test policies in pre-production environments to build confidence in the generated policies.

Differentiation

Compared to competitors, our distinctive approach focuses on managing the entire IAM lifecycle, from creation to post-deployment versioning. Unlike tools with a reactive approach, Slauth.io auto-generates policies during CI/CD, ensuring a proactive stance.

We were inspired by IAMLive, IAMBic, and Policy Sentry, but our key differentiator lies in relieving developers of the burden of explicitly expressing policy intent. While some are capable of doing that quickly, we know it is often draining, impends engineering velocity and is just not secure by design. Why not allow yourself to focus on developing the service and use a tool to auto-generate the access policy based on the code you wrote?

IAM may be a heated topic, but we believe our tool can alleviate many concerns and foster better collaboration between developers, DevOps, and security engineers. While it may not cover every case, our goal is to address the majority and expand to cover more edge cases.

We're excited to engage with the Open-Source community! Looking forward to your thoughts and feedback in the comments or on our Github project https://github.com/slauth-io/slauth-cli

IAMAWSGCPcloud security