Access Undenied will take a CloudTrail event with an 'Access Denied' outcome and tell you how to fix it. Credit: Thinkstock Administrators befuddled by AWS access-denied messages will welcome a new open-source tool announced Thursday by cloud infrastructure security company Ermetic. The Access Undenied tool analyzes AWS CloudTail AccessDenied events by scanning an environment to identify and explain the reasons for the events and offer actionable, least-privilege remediation suggestions.“AWS access management is a highly complex system,” Ermetic Research Lead Noam Dahan explained in an interview. “It has a lot of moving parts, a lot of policies. Plus every piece of information is complex, as well. That can make questions about ‘why can’t I access this’ incredibly complicated.”Access Undenied makes troubleshooting easier for buildersThose complications are made worse by error messages that are opaque, although a degree of obscurity is necessary since AWS doesn’t want to grant unprivileged actors details on the exact content and identity of the service control policies preventing them from acting in a certain way. A balance is needed between easy troubleshooting for builders and opacity to attackers.Access Undenied makes troubleshooting easier for builders. It analyzes AWS “access denied” events and offers actionable remediation steps to facilitate access. A user can completely control its permissions and actions, and it does not send data to anyone. It can be used from the command line interface on a local machine on single or batches of events, or even run from a lambda function and have a lambda that receives an event and returns the reason that access was denied. How security and DevOps teams can use Access UndeniedThe open-source tool tackles some of the peskiest Access Denied challenges encountered by DevOps and security teams, including:Lack of detail for messages generated in services such as S3, IAM, STS, CloudWatch, EFS, DynamoDB, Redshift, Opensearch, and ACM.Tracking down a specific policy and statement when an explicit denial of access is triggered for all policies when a denial arises in a service control policy.Creating a least-privilege policy without granting excessive permissions when dealing with a missing allow statement.“Even if you know the policy type causing ‘access denied’, which isn’t always the case, you still need to find the policy and the statement inside the policy causing the denial and replace it with a least-privilege alternative,” Dahan said in a news release. “Basically, you give the Access Undenied on AWS tool a CloudTrail event with an ‘Access Denied’ outcome, and it will tell you how to fix it.” Access Undenied on AWS supports policies for many resources and some of the most common condition keys. The open-source project is also soliciting input from the community through contributions of new issues in its repository.Dahan hopes Ermetic’s new open-source tool will encourage greater use of least-privilege access. “We want people to become interested in least-privilege and facilitating usability in their environments without opening them up excessively,” he says. Related content news FBI probes into Pennsylvanian water utility hack by pro-Iran group Federal and state investigations are underway for the recent pro-Iran hack into a Pennsylvania-based water utility targeting Israel-made equipment. By Shweta Sharma Nov 29, 2023 4 mins Cyberattacks Utilities Industry feature 3 ways to fix old, unsafe code that lingers from open-source and legacy programs Code vulnerability is not only a risk of open-source code, with many legacy systems still in use — whether out of necessity or lack of visibility — the truth is that cybersecurity teams will inevitably need to address the problem. By Maria Korolov Nov 29, 2023 9 mins Security Practices Vulnerabilities Security news Amazon’s AWS Control Tower aims to help secure your data’s borders As digital compliance tasks and data sovereignty rules get ever more complicated, Amazon wants automation to help. By Jon Gold Nov 28, 2023 3 mins Regulation Cloud Security news North Korean hackers mix code from proven malware campaigns to avoid detection Threat actors are combining RustBucket loader with KandyKorn payload to effect an evasive and persistent RAT attack. By Shweta Sharma Nov 28, 2023 3 mins Malware Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe