IAMLive: A Guide to Creating Cloud Access Policies

IAMLive: A Guide to Creating Cloud Access Policies

·

6 min read

As your network expands, so does the number of identities accessing your resources. Each permission given to these identities carries a security risk that attackers are eager to exploit - and even the slightest mistake can lead to irreversible financial and reputational damage.

Nearly 90% of financial organizations have been impacted by data breaches, with 60% of those incidents involving identity theft. You can’t keep an open-door policy when it comes to access controls. Strong access policies can help prevent identity-related breaches by defining when, what, and who can interact with critical resources.

Policy automation tools like IAMLive make it easy to build out policies that are accurate and restrictive, introducing a level of efficiency that is difficult to achieve manually. But policy creation isn’t the last stop of the train - your IAM journey is just beginning.

What is IAMLive?

IAMLive is an IAM policy generator developed to automate the creation and management of IAM policies. It supports AWS, Azure, and Google Cloud and helps developers follow the principle of least privilege - the cornerstone of any Identity and Access Management strategy.

Tools like IAMLive have become increasingly needed as attacks related to identity theft and unauthorized access reach all-time highs. It’s common to hear about phishing attacks, Man-in-the-Middle (MitM), and credential stuffing online - but there’s a broader web of threats that can start from gaps in identity security.

IAMLive operates in two modes: Client Side Monitoring (CSM) mode and Proxy mode. These modes determine how the tool intercepts and analyzes cloud service calls to generate the required IAM policies.

Client Side Monitoring (CSM) Mode

CSM mode is the default mode for AWS IAM policies. IAMLive uses metrics delivered locally via UDP to capture policy statements with the Action key. This means you'll only get the "Action": "Action": "ec2:RunInstances"... part of the IAM policy. This mode is only available for AWS and is ideal for capturing AWS API calls made by the AWS CLI or various AWS SDKs.

How to enable CSM Mode:

  • AWS CLI: You can use the --set-ini option or add csm_enabled = true to the relevant profile in .aws/config.

  • AWS SDKs: You need to set the environment variables before starting the application:

AWS_CSM_ENABLED=true

AWS_CSM_PORT=31000

AWS_CSM_HOST=127.0.0.1 .

Proxy Mode

On the other hand, proxy mode serves a local HTTP(S) server (by default at http://127.0.0.1:10080) that inspects requests sent to AWS endpoints before forwarding them. The CA key/certificate pair will be automatically generated and stored within ~/.iamlive/ by default.

How to enable Proxy Mode:

  • AWS CLI: You can use the --set-ini option or add ca_bundle = ~/.iamlive/ca.pem to the relevant profile in .aws/config.

  • AWS SDKs: You need to set the environment variables before starting the application:

export HTTP_PROXY=http://127.0.0.1:10080

export HTTPS_PROXY=http://127.0.0.1:10080

export AWS_CA_BUNDLE=~/.iamlive/ca.pem

You can find more details on these configurations in the official documentation.

Using IAMLive to Create Cloud Access Policies

Step #1 - Installation

There are multiple ways to install IAMLive into your local environment.

  • Pre-built binaries: You can download pre-built binaries for Windows, macOS, and Linux on the project releases page. Then, place the extracted binary in your $PATH. (For macOS users, you may need to allow the application to run via System Preferences.)

  • Build with Go: Clone the repository and run the go install command. You must have Go 1.16 or later installed.

  • Homebrew: Using the brew install iann0036/iamlive/iamlive command.

  • Lambda Extension (AWS only).

  • Docker

Step #2 - Starting the server

Run the iamlive command to start the server in a separate window to your CLI / SDK application. IAMLive provides a set of CLI arguments that you can use to customize its behavior based on your specific use case.

For example, by default, IAMLive will be configured for AWS. If you want to change it, you need to define the provider using the --provider flag as shown below:

iamlive --provider azure

Here are a few more critical CLI arguments you should keep in mind when using IAMLive:

  • --profile: Used to define the specified user profile when combined with --set-ini. The default value is the default and is only available for AWS.

  • --host: Host port to listen on for CSM. The default value is 127.0.0.1.

  • --mode: The listening mode (csm,proxy). The default value is csm for AWS and proxy for other providers.

  • --account-id: The AWS account ID used in policy outputs within the proxy mode. The default value is 123456789012 and is only applicable for AWS.

  • --sort-alphabetical: Used to sort actions alphabetically. The default value is false for AWS and true for other providers.

Step #3 - Generating policies

Now, keep the IAMLive server running and open a new CMD window. Then, all you need to do is execute the aws CLI commands in the new CMD window. IAMLive will intercept those commands and generate a policy with permissions relevant to those commands. For example, the aws s3 ls command will create a policy with s3:ListAllMyBuckets permission:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": [

"s3:ListAllMyBuckets"

],

"Resource": "*"

}

]

}

If you need more permissions, execute the relevant AWS CLI command. For example, using the command below, you can extend the above policy with s3:CreateBucket permission.

aws s3 mb <bucket-name>

You can find more details on AWS CLI commands here.

Limitations of IAMLive

While IAMLive is a helpful tool in automating IAM policy generation, it comes with certain limitations that may impact its long-term viability for businesses with a growing number of identities. For example:

Unofficial mappings

IAMLive reliance on an unofficial mapping from SDK calls to IAM actions can cause inaccuracies in IAM policy generation. If IAM policies do not reflect user needs, they will cause friction in day-to-day operations as identities must request frequent permission updates. Also, flawed policies can open up new access control gaps that attackers can exploit.

Permission discovery issues

As the above example shows, you must match the permissions with AWS CLI commands to generate the policies. This process can be tedious if done manually, particularly for larger companies with many identities.

Developer experience

IAMLive is mainly intended to be used in a separate terminal window from a currently running application. It can disrupt workflow and increase the complexity of managing access policies.

Furthermore, IAMLive lacks key features crucial for effective access policy management. For instance, it doesn’t enable you to create custom IAM policies based on permissions, and you can't monitor the activity of your identities post-policy implementation. Getting complete visibility over your identities’ activity once your software and policies have been deployed is crucial to establishing continuous security. Your team (or the tool you are using) should always be on the lookout for suspicious actions.

Elevate Your IAM Policy Management with Slauth

With the above mentioned limitations, IAMLive can be recognized as a good starting tool for IAM policy generation but only as a short-term solution for companies with many identities. You may need a more comprehensive tool to ensure your identity management process is ready to deliver at any scale.

IAM automation tools like Slauth enable you to create accurate and secure policies from the get-go. By tracking the real-time API calls of machine identities from end-to-end tests to AWS, Slauth automatically codifies this activity into policies that align with your identities’ needs. Such policies are generated based on the Least Privilege principle to ensure tighter security. When your development team pushes your software into production, they get all the suggested policies for review.

But policy creation is just the beginning. You need a tool that enables you to continuously monitor your identities’ activity so you can spot suspicious behavior and implement the right mitigation processes at the right time. This will also help you comply with critical regulations that require an overview of your IAM plan to ensure data protection. Slauth provides 360-degree observability into your identities’ logs, which are placed throughout the SDLC. Learn how to enhance your cloud identity management strategy.