New open-source tool tackles pesky access denial messages in AWS

Administrators befuddled by AWS access-denied messages will welcome a new open-source tool announced Thursday by cloud infrastructure security company Ermetic. The Access Undenied tool analyzes AWS CloudTail AccessDenied events by scanning an environment to identify and explain the reasons for the events and offer actionable, least-privilege remediation suggestions.

“AWS access management is a highly complex system,” Ermetic Research Lead Noam Dahan explained in an interview. “It has a lot of moving parts, a lot of policies. Plus every piece of information is complex, as well. That can make questions about ‘why can’t I access this’ incredibly complicated.”

Access Undenied makes troubleshooting easier for builders

Those complications are made worse by error messages that are opaque, although a degree of obscurity is necessary since AWS doesn’t want to grant unprivileged actors details on the exact content and identity of the service control policies preventing them from acting in a certain way. A balance is needed between easy troubleshooting for builders and opacity to attackers.

Access Undenied makes troubleshooting easier for builders. It analyzes AWS “access denied” events and offers actionable remediation steps to facilitate access. A user can completely control its permissions and actions, and it does not send data to anyone. It can be used from the command line interface on a local machine on single or batches of events, or even run from a lambda function and have a lambda that receives an event and returns the reason that access was denied.

How security and DevOps teams can use Access Undenied

The open-source tool tackles some of the peskiest Access Denied challenges encountered by DevOps and security teams, including:

• Lack of detail for messages generated in services such as S3, IAM, STS, CloudWatch, EFS, DynamoDB, Redshift, Opensearch, and ACM.

• Tracking down a specific policy and statement when an explicit denial of access is triggered for all policies when a denial arises in a service control policy.

• Creating a least-privilege policy without granting excessive permissions when dealing with a missing allow statement.

“Even if you know the policy type causing ‘access denied’, which isn’t always the case, you still need to find the policy and the statement inside the policy causing the denial and replace it with a least-privilege alternative,” Dahan said in a news release. “Basically, you give the Access Undenied on AWS tool a CloudTrail event with an ‘Access Denied’ outcome, and it will tell you how to fix it.”

Access Undenied on AWS supports policies for many resources and some of the most common condition keys. The open-source project is also soliciting input from the community through contributions of new issues in its repository.

Dahan hopes Ermetic’s new open-source tool will encourage greater use of least-privilege access. “We want people to become interested in least-privilege and facilitating usability in their environments without opening them up excessively,” he says.