IAM Safety

Overview

CloudGuard IAMClosed Identity and Access Management (IAM) - A web service that customers can use to manage users and user permissions within their organizations. Safety controls access to services on AWSClosed Amazon® Web Services. Public cloud platform that offers global compute, storage, database, application and other cloud services. environments by IAM users, and requires that these users have explicitly given permission from a CloudGuard account administrator to access these services. This hardens the AWS account console and restricts users from making that are not approved or accidental changes to account settings without the knowledge and authorization of an administrator. Users can continue to access the account to view settings without restrictions (based on their AWS permissions).

For IAM users to access protected services, they must have an authorization window opened for them for the service. The window can be opened for them by a CloudGuard admin user, on the CloudGuard portal, or by the IAM users themselves with the CloudGuard Mobile App. The authorization window is for a limited period. During this time, the IAM user can access the protected AWS services. At the end of the window, access to the services is blocked.

In addition, all actions taken by IAM users on protected services are logged, and appear in the CloudGuard Audit Trail.

How it Works

CloudGuard IAM Safety protects AWS services or specific actions for these services. To set up IAM Safety on CloudGuard, you configure a CloudGuard IAM policy on your AWS account which grants CloudGuard permissions to control select AWS services. You included in this policy the AWS services or actions that are protected by CloudGuard (AWS actions or services that are not selected can be accessed by IAM users based on their AWS permissions and are not restricted or protected by CloudGuard).

After the policy has been applied to the AWS account, you use CloudGuard to explicitly apply protection to the IAM users of the AWS account for the protected services you selected. This means to access the protected services or actions on AWS they are given explicit access permission from a CloudGuard admin user. This is called elevation. It is for a limited time set at the time it is granted. During this time, the IAM user can access the service based on their AWS IAM role. At the end of the time, they are blocked from access.

In addition, you can apply IAM Safety to IAM Roles. In this case, all IAM users with this role can access protected AWS services when the role is elevated.

Use one of these procedures to elevate an IAM user or role:

  • By a CloudGuard super user from the CloudGuard portal.

  • They can elevate themselves if they are in addition a CloudGuard user, have installed the CloudGuard Mobile app, and associated it with a protected account.

Note - IAM users of a protected account, who do not have protection applied to them, are not restricted by CloudGuard from accessing services in the account (based on their AWS permissions only). To protect an AWS account, it is important to immediately apply protection to all IAM Users and Roles the account is protected.

Considerations

CloudGuard recommends through categories of actions and services to be protected by IAM Safety. These are grouped as Templates when you set up the IAM Safety, and cover Computing, Networking, Security & Identity, Storage, and Database actions. Check Point recommends to lock down services/actions that are not done frequently, or are irrevocable when done, or both. For example, IAM, Route53, KMSClosed AWS Key Management Service (AWS KMS) - A managed service that simplifies the creation and control of encryption keys that are used to encrypt data., services, or actions such as changing S3 bucket permissions, deleting buckets, or deleting EBSClosed Elastic Block Storage (EBS) Volume hosts virtual data in segments. It's like a storage disk with the ability to contain various sizes of data. These virtual storage devices usually replicate within one AWS region to increase their availability. snapshots.

Prerequisites

The AWS account with the services that you wish to protect with IAM Safety must be onboarded to CloudGuard. See Onboarding AWS Environments.

CloudGuard users must be associated with a protected AWS account to grant access to themselves or other users. This is done by invitation from a CloudGuard admin user.

If it is necessary for CloudGuard users to use the CloudGuard Mobile app to elevate themselves to access AWS-protected services, they must install the application and then pair it with their CloudGuard account.

Protected vs Protected with Elevation

Two procedures used to protect an AWS service:

Protected - Protected AWS IAM users cannot do protected actions on these AWS services in any circumstances. Users can only do these actions if the CloudGuard protection is permanently removed from the service.

Protected with Elevation - CloudGuard users (who are associated with the protected account) can elevate themselves or other IAM users to access protected services for limited periods.

Tamper Protection

IAM users or roles that are protected with IAM Safety are protected against tampering. These users and roles are included in restricted groups or policies in AWS (as part of the procedure CloudGuard implements the protection). If someone tries to remove a user or role from these groups or policies on the AWS console (and not through CloudGuard) it is detected by CloudGuard (and logged in the Audit trail) and rolled back.

Benefits

  • Reduce not approved or accidental access to AWS accounts to change settings or entities

  • Control who can make changes to AWS accounts settings

  • Must have more authorization (the mobile app on the user's device) to grant access

  • Access permissions are temporary, and are automatically removed at the end of the authorization window

  • Full audit trail of access to sensitive services

Use Case

An AWS IAM user account must have:

Actions

To set up your CloudGuard account to manage IAM user access to an AWS account, you must configure a policy in the AWS account. This policy lists the AWS services and actions that are protected. When this policy is in place, access to these services is blocked to all IAM users and only permitted to specific users when authorization is given.

  1. In the primary menu, navigate to CIEM > IAM SafetyAccounts.

  2. Select the AWS services and actions to be managed by your CloudGuard account from the list of services. The list of services expands, to show specific actions. As an alternative, select one or more templates (aggregate groups of services) at the top. After making your selections, click Copy to Clipboard. Click Next.

  3. Follow the steps described in the next screen, to create a new policy and group on your AWS account, which permits your CloudGuard account to manage AWS IAM users. Copy the Policy and Group ARNs from the AWS console, paste them in the applicable places on this screen, and then click Next.

    Note - Review carefully the services and actions that you select for protection before proceeding. When you complete the policy setup for these services, there is no simple procedure to make changes to it.

  4. Select the AWS account to be managed by CloudGuard, and then click Next.

  5. Connect the IAM Safety policy with the account. Follow the on-screen instructions and then click Next.

  6. CloudGuard connects to your AWS account and tries to gain control of the selected services. If this is successful, the confirmation message appears.

After the AWS account has been protected with CloudGuard IAM Safety, you can apply CloudGuard protection to IAM users of the account, so that they can access the protected services. These users are called 'Protected' users. Applying protection to them does not grant them access, but allows temporary access to be granted to them with an 'elevation' (or authorization).

IAM Users and Roles can be protected. If a role is protected, any IAM user with this role can access protected services if the role is elevated.

Note - Until you apply protection to an IAM user, the user can access AWS services (and protected services) without restriction. It is important to apply protection to all IAM users immediately after configuring CloudGuard IAM Safety on the account.

  1. Navigate to the IAM Safety page and select the IAM Users tab. This shows a list of the IAM (AWS) users of the AWS account. The protection status of each user is shown (initially all are Not Protected).

  2. Select a user or users to protect and click Protect All.

  3. Select the type of protection to apply to the user, then click Save. Protected restricts the user from accessing protected AWS services. Protected With Elevation restricts the user from accessing protected services, but allows the user to be elevated, to access services. In addition, select the CloudGuard users that can elevate these users. This can be a group of users.

  4. Click Save.

Apply protection to IAM Roles in the same procedure. Select the IAM Roles tab.

Select the roles to be protected, then click Protect All.

A CloudGuard super user can remove protection from an IAM User for an AWS account. When protection is removed, this user can access protected services on the account without any CloudGuard restriction or control (or Tamper Protection). In addition, actions by this user are audited by CloudGuard.

  1. Navigate to the IAM Users tab.

  2. Select opposite the User or Role.

A CloudGuard account administrator invites other CloudGuard users to a protected account. These users can then elevate IAM users to access the protected AWS account.

  1. Navigate to the Users page in the Settings menu.

  2. Select the user from the list and click Invite User from the menu bar.

    An email invitation is sent to the user.

  3. The invited users receive an email to join IAM Safety. To join, they must click the link.

The invited user can optionally install the CloudGuard mobile app (seeCloudGuard Mobile Application), to elevate IAM users from the app.

A CloudGuard user, related to a protected IAM user or role, can elevate them, to access the protected services. This can be done from the CloudGuard portal, or on the CloudGuard Mobile app.

The IAM user must be protected by IAM Safety with Protect With Elevation protection.

The elevation is for a limited period, during which the elevated user can access the protected AWS services.

Elevate with the CloudGuard portal

CloudGuard super users can elevate IAM users from the CloudGuard console app.

  1. Navigate to the IAM Users tab.

  2. Select the user or users to be elevated from the list of IAM Users (the user must be Protected). Click Elevate opposite the user to elevate the user for 15 minutes, or select a specific elevation period from the drop-down list.

  3. To elevate a number or users, check the box adjacent to each one, then select the elevation period.

  4. If the intended user is not yet protected, press Protect to include them in CloudGuard protection, and select the Protected With Elevation option, after which they can be elevated.

Elevate with the CloudGuard Mobile App

CloudGuard users can elevate themselves with the CloudGuard Mobile app.

  1. Open the mobile app, and select IAM Safety from the primary menu.

  2. Tap on a Role or User from the list, to grant an authorization window to access the AWS service. The period of the window is indicated. The size of the authorization window can be configured on the Settings page of the app.