Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider removing permissions through deny? #26

Closed
et304383 opened this issue Jul 4, 2017 · 3 comments
Closed

Consider removing permissions through deny? #26

et304383 opened this issue Jul 4, 2017 · 3 comments
Labels
wontfix

Comments

@et304383
Copy link

et304383 commented Jul 4, 2017

I am wondering if there could be value in explicitly denying access to services not being used.

The reason I ask is because it's pretty hard to remove access that is granted through a managed policy.

Has any consideration been given to how this should be handled?
@mcpeak
Copy link
Contributor

mcpeak commented Jul 5, 2017

Is the idea for the rewritten inline policy (with deny) to override something that is allowed in a managed policy? For our internal use we generally limit use of managed policies in part for this reason and try to avoid 'deny' because it makes the logic harder to follow.

That being said it would be a pretty easy change to move unused services to a deny section rather than removing them from the policy entirely. It's not something that I would prioritize given our use and the other things we're working on for Repokid, but I'd happily accept a PR to add this as long as it was a configurable option.

It's also worth keeping in mind that policies have a size limit of ~10K so as you add more to the policy (rather than remove) you have to be careful to stay under the limit.

@et304383
Copy link
Author

et304383 commented Jul 5, 2017

Well we're just trying to see how this could work into our existing flow.

We were hoping this tool could help us remove unused permissions so that we're not struggling at project start to figure out all the required permissions for the project in a new AWS account.

However, I think the real purpose that Netflix intended was to remove permissions that are no longer required - as opposed to removing permissions that simply aren't being used. It's pretty hard to remove permissions that aren't needed if they're never used since trusted advisor only displays info about services used at some previous point.

@mcpeak
Copy link
Contributor

mcpeak commented Jul 5, 2017

We're trying to address both uses. We deploy new applications with a default profile that covers typical actions an application would need to perform. Access Advisor displays usage data about any service that is allowed by a policy. For any service that is allowed but either never used or not recently used we rewrite the policy to remove access.

FWIW we're working on a way to blacklist specific permissions/services for a role so that we can preserve access that is needed but gets infrequently used.

I'm happy to have a quick conversation to discuss roadmap and the stuff we're working on and find out more about how you're trying to use it.

@mcpeak mcpeak added the wontfix label Sep 8, 2017
@mcpeak mcpeak closed this as completed Sep 8, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@et304383 @mcpeak