CloudGuard (Dome9) IAM Safety controls access to services on AWS cloud accounts by IAM users, and requires that AWS (IAM) users be explicitly granted permission from a CloudGuard account administrator in order to access these services. This hardens the AWS account console and restricts users from making unauthorized or accidental changes to account settings without the knowledge and authorization of an administrator. Users can still access the account to view settings without restrictions (based on their AWS permissions).
IAM users who wish to access protected services must have an authorization window opened for them for the service. The window can be opened for them by a CloudGuard admin user, on the CloudGuard console, or by the IAM users themselves, using the CloudGuard Mobile App. The authorization window is for a limited period of time. During this time, the IAM user can access the protected AWS services. At the end of the window, access to the services will be blocked.
Further, all actions taken by IAM users on protected services are logged, and appear in the CloudGuard Audit Trail.
How it works
CloudGuard IAM Safety protects AWS services or specific actions for these services. To set up IAM Safety on CloudGuard, you configure a CloudGuard IAM policy on your AWS account which grants CloudGuard permissions to control select AWS services. You included in this policy the AWS services or actions that will be protected by CloudGuard (AWS actions or services that are not selected can be accessed by IAM users, according to their AWS permissions, and are not restricted or protected by CloudGuard).
After the policy has been applied to the AWS account, you use CloudGuard to explicitly apply protection to the IAM users of the AWS account for the protected services you selected. This means that, to access the protected services or actions on AWS, they will need to be given explicit access permission from a CloudGuard admin user. This is called 'elevation'. It is for a limited time. set at the time it is granted. During this time, the IAM user can access the service, according to their AWS IAM role. At the end of the time, they are blocked from access.
You can also apply IAM Safety to IAM Roles. In this case, all IAM users with this role can access protected AWS services when the role is elevated.
An IAM user or role can be elevated by in the following ways:
- by a CloudGuard super user from the CloudGuard console
- they can elevate themselves, if they are also a CloudGuard user, and have installed the CloudGuard Mobile app, and associated it with the protected account
Note: IAM users of a protected account, who do not have protection applied to them, will not be restricted by CloudGuard from accessing services in the account (according to their AWS permissions only). To properly protect an AWS account, therefore, it is important to apply protection to all IAM Users and Roles as soon as the account is protected.
CloudGuard recommends certain categories of actions and services to be protected by IAM Safety. These are grouped as Templates when you set up the IAM Safety, and cover Computing, Networking, Security & Identity, Storage, and Database actions. In addition, it is recommended to lock down services/actions that aren't performed very often and/or are irrevocable when they are performed. For example, IAM, Route53, KMS, services, or actions such as changing S3 bucket permissions, deleting buckets, or deleting EBS snapshots.
What you need
The AWS account with the services that you wish to protect with IAM Safety must be onboarded to CloudGuard, and must be in Full-Protection mode. See see Onboard an AWS Account.
CloudGuard users must be associated with a protected AWS account in order to grant access to themselves or other users. This is done by invitation from a CloudGuard admin user.
If a CloudGuard user wishes to use the CloudGuard Mobile app to elevate themself to access AWS protected services, they must install the app and then pair it with their CloudGuard account.
Protected vs Protected with Elevation
You can protect an AWS service in two ways.
Protected - Protected AWS IAM users cannot perform protected actions on these AWS services under any circumstances. Users can only perform these actions if the CloudGuard protection is permanently removed from the service.
Protected with Elevation - CloudGuard users (who are associated with the protected account) can elevate themselves or other IAM users to access protected services for limited periods of time.
IAM users or roles that are protected with IAM Safety are also protected against tampering. These users and roles are included in restricted groups or policies in AWS (as part of the way CloudGuard implements the protection). Any attempt to remove a user or role from these groups or policies on the AWS console (and not through CloudGuard) will be detected by CloudGuard (and logged in the Audit trail) and rolled back.
Reduce unauthorized or accidental access to AWS accounts to modify settings or entities
Control who can make changes to AWS accounts settings
Require an additional authorization factor (the mobile app on the user's mobile device) to grant access
Access permissions are temporary, and are automatically removed at the end of the authorization window
Full audit trail of access to sensitive services
an AWS IAM user account needs to change settings on the AWS account or add/modify cloud entities associated with the account or its VPCs.
To set up your CloudGuard account to manage IAM user access to an AWS account, you must configure a policy in the AWS account, to permit your CloudGuard account to manage IAM users. This policy will list the AWS services and actions that will be protected. Once this policy is in place, access to these services will be blocked to all IAM users, and only permitted to particular users when an authorization is granted (this is described below).
Navigate to the IAM Safety page n the IAM Protection menu, and click GET STARTED.
Select the AWS services and actions to be managed by your CloudGuard account from the list of services. The list of services expands, to show specific actions. Alternatively, select one or more templates (aggregate groups of services) at the top. After making your selections, click COPY TO CLIPBOARD. Click NEXT
Follow the steps described in the next screen, to create a new policy and group on your AWS account, which permits your CloudGuard account to manage AWS IAM users. Copy the Policy and Group ARNs from the AWS console, and paste them in the appropriate places on this screen, and then click NEXT.
Note: carefully review the services and actions that you have selected for protection before proceeding to the next step. Once you have set up the policy for these services, there is no simple way to make changes to it.
Connect the IAM Safety policy with the account. Follow the on-screen instructions, and then click NEXT.
CloudGuard will connect to your AWS account, and attempt to assume control of the selected services. If this is successful, this message will appear.
After the AWS account has been protected with CloudGuard IAM Safety, you can apply CloudGuard protection to IAM users of the account, so that they can access the protected services. These users are called 'Protected' users. Applying protection to them does not grant them access, but allows temporary access to be granted to them by means of an 'elevation' (or authorization).
Both IAM Users and Roles can be protected. If a role is protected, any IAM user with this role can access protected services if the role is elevated.
Note: until you apply protection to an IAM user, the user can access AWS services (including protected services) without restriction. It is important to apply protection to all IAM users immediately after configuring CloudGuard IAM Safety on the account.
Navigate to the IAM Safety page, and then select the IAM Users tab. This shows a list of the IAM (AWS) users of the AWS account. The protection status of each user is also shown (initially all are Not Protected).
Select a user or users to protect, then click PROTECT ALL.
- Select the type of protection to apply to the user, then click SAVE. Protected restricts the user from accessing protected AWS services. Protected With Elevation restricts the user from accessing protected services, but allows the user be elevated, to access services. Select also the CloudGuard users that will be able to elevate these users. This can be a group of users.
- Click Save.
Apply protection to IAM Roles in the same way. Select the IAM Roles tab.
Select the roles to be protected, then click PROTECT ALL.
A CloudGuard super user can remove protection from an IAM User for an AWS account. When protection is removed, this user can access protected services on the account without any CloudGuard restriction or control (including Tamper Protection). In addition, actions by this user will not be audited by CloudGuard.
A CloudGuard account admin invite other CloudGuard users to a protected account. These users can then elevate IAM users to access the protected AWS account.
- Navigate to the Users page in the Administration menu.
Select the user from the list, and then select Invite User in the Actions menu, on the right.
The invited user can optionally install the CloudGuard mobile app (seeCloudGuard (Dome9) Mobile App), to elevate IAM users from the app.
A CloudGuard user, associated with a protected IAM user or role, can elevate them, to access the protected services. This can be done from the CloudGuard web app, or on the CloudGuard Mobile app.
The IAM user must be protected by IAM Safety with Protect With Elevation protection.
The elevation will be for a limited period of time, during which the elevated user will be able to access the protected AWS services.
Elevate using the CloudGuard console app
CloudGuard super users can elevate IAM users from the CloudGuard console app.
- Navigate to the IAM Users tab.
- Select the user or users to be elevated from the list of IAM Users (the user must be Protected). Click ELEVATE opposite the user to elevate the user for 15 minutes, or select a specific elevation period from the drop-down list.
To elevate a number or users, check the box next to each one, then select the elevation period.
- If the intended user is not yet protected, press PROTECT to include them in CloudGuard protection, and select the Protected With Elevation option, after which they can be elevated.
Elevate using the CloudGuard Mobile app
CloudGuard users can elevate themselves using the CloudGuard Mobile app.