CloudGuard Dome9 Help

IAM Safety


Overview

CloudGuard Dome9 IAM Safety controls access to services on AWS cloud accounts by IAM users, and requires that AWS (IAM) users be explicitly granted permission from a Dome9 account administrator in order to access these services. This hardens the AWS account console and restricts users from making unauthorized or accidental changes to account settings without the knowledge and authorization of an administrator. Users can still access the account to view settings without restrictions (based on their AWS permissions).

IAM users who wish to access protected services must have an authorization window opened for them for the service. The window can be opened for them by a Dome9 admin user, on the Dome9 console, or by the IAM users themselves, using the Dome9 Mobile App. The authorization window is for a limited period of time. During this time, the IAM user can access the protected AWS services. At the end of the window, access to the services will be blocked.

Further, all actions taken by IAM users on protected services are logged, and appear in the Dome9 Audit Trail.

How it works

Dome9 IAM Safety protects AWS services or specific actions for these services. To set up IAM Safety on Dome9, you configure a Dome9 IAM policy on your AWS account which grants Dome9 permissions to control select AWS services. You included in this policy the AWS services or actions that will be protected by Dome9 (AWS actions or services that are not selected can be accessed by IAM users, according to their AWS permissions, and are not restricted or protected by Dome9).

After the policy has been applied to the AWS account, you use Dome9 to explicitly apply protection to the IAM users of the AWS account for the protected services you selected. This means that, to access the protected services or actions on AWS, they will need to be given explicit access permission from a Dome9 admin user. This is called 'elevation'. It is for a limited time. set at the time it is granted. During this time, the IAM user can access the service, according to their AWS IAM role. At the end of the time, they are blocked from access.

You can also apply IAM Safety to IAM Roles. In this case, all IAM users with this role can access protected AWS services when the role is elevated.

An IAM user or role can be elevated by in the following ways:

  • by a Dome9 super user from the Dome9 console
  • they can elevate themselves, if they are also a Dome9 user, and have installed the Dome9 Mobile app, and associated it with the protected account

Note: IAM users of a protected account, who do not have protection applied to them, will not be restricted by Dome9 from accessing services in the account (according to their AWS permissions only). To properly protect an AWS account, therefore, it is important to apply protection to all IAM Users and Roles as soon as the account is protected.

Considerations

Dome9 recommends certain categories of actions and services to be protected by IAM Safety. These are grouped as Templates when you set up the IAM Safety, and cover Computing, Networking, Security & Identity, Storage, and Database actions. In addition, it is recommended to lock down services/actions that aren't performed very often and/or are irrevocable when they are performed. For example, IAM, Route53, KMS, services, or actions such as changing S3 bucket permissions, deleting buckets, or deleting EBS snapshots.

What you need

The AWS account with the services that you wish to protect with IAM Safety must be onboarded to Dome9, and must be in Full-Protection mode. See see Onboard an AWS Account.

Dome9 users must be associated with a protected AWS account in order to grant access to themselves or other users. This is done by invitation from a Dome9 admin user. 

If a Dome9 user wishes to use the Dome9 Mobile app to elevate themself to access AWS protected services, they must install the app and then pair it with their Dome9 account. 

Protected vs Protected with Elevation

You can protect an AWS service in two ways.

Protected - Protected AWS IAM users cannot perform protected actions on these AWS services under any circumstances. Users can only perform these actions if the Dome9 protection is permanently removed from the service.

Protected with Elevation - Dome9 users (who are associated with the protected account) can elevate themselves or other IAM users to access protected services for limited periods of time.

Tamper protection

IAM users or roles that are protected with IAM Safety are also protected against tampering. These users and roles are included in restricted groups or policies in AWS (as part of the way Dome9 implements the protection). Any attempt to remove a user or role from these groups or policies on the AWS console (and not through Dome9) will be detected by Dome9 (and logged in the Audit trail) and rolled back.

Benefits

  • Reduce unauthorized or accidental access to AWS accounts to modify settings or entities

  • Control who can make changes to AWS accounts settings

  • Require an additional authorization factor (the mobile app on the user's mobile device) to grant access

  • Access permissions are temporary, and are automatically removed at the end of the authorization window

  • Full audit trail of access to sensitive services

Use-cases

  • an AWS IAM user account needs to change settings on the AWS account or add/modify cloud entities associated with the account or its VPCs.

Actions

See also

Onboard an AWS Account

Audit Trail

CloudGuard Dome9 Mobile App