TL;DR

Oftentimes roles may be added within Terraform, but after a while they are no longer needed. These are usually left unnoticed and can cause a security issue. You can now use Cloudrail to find this within your CI process, so they can be removed safely and improve your cloud environment’s security.

Sign up here to use Cloudrail.

Background

In any typical AWS account, roles are created all the time. Some accounts can reach hundreds, if not thousands of roles defined. There are roles used by various compute resources. Roles used for SSO. Roles used for third-party access. The reasons for creating roles are many.

At some point and with enough time, some of these roles will be deprecated. They will no longer be actively used, but they’ll still hang around, because no one knows which roles aren’t in use and whether they should be deleted. Who has the time to check each role and see if it’s actively used?

“Why should I care?” you may ask. The reason is simple – a role is a way into your account. A role has permissions, it allows someone, or something, to use it, and so it can be used to do bad things. And so, every single role you add is one more way for someone to harm your cloud environment. Roles are generally (hopefully?) locked down tightly, so the chances of this happening with any given role are small. But, as the number of roles increase, the overall potential for a role to be used for something nefarious increases. What’s more, as time progresses, we (the cloud users) get better at securing roles, and so it’s the older roles (that tend to be forgotten) that are less locked down and more risky. Cleaning up unused roles is a wise thing to do as it reduces the “holes” in our infrastructure.

Related Article  Comparing SAST Tools for IaC Security

Luckily, back in 2019, AWS announced a way to identify when was the last time a role was used (if at all). In the blog post they show how one can identify unused roles manually. Since then, various products, including AWS’s own Config service, have adapted to be able to utilize the “Last activity” information provided and flag unused roles.

So, as the cloud world is moving more and more to infrastructure-as-code, it would be valuable to catch such roles within the code itself, right?

Today, we’re announcing that we’re the first IaC security tool capable of flagging unused roles within CI/CD. Starting today, Cloudrail will pull the “last activity” of each role in your live cloud environment and cross it with the roles defined in your Terraform code. If a role hasn’t been used for more than 90 days, it will be flagged.

Example

So for this sample Terraform code:

provider "aws" {
  region = "us-east-1"
}

resource "aws_iam_role" "role" {
  name = "role"

  assume_role_policy = <<EOF
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Action": "sts:AssumeRole",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Effect": "Allow",
          "Sid": ""
        }
      ]
    }
EOF
}

resource "aws_iam_role_policy" "allow-policy-1" {
  name = "allow-policy-1"
  role = aws_iam_role.role.id

...
}

If the role hasn’t been used in over 90 days, or has been created more than 90 days ago and was never used, you’ll receive this result from Cloudrail:

-----------------------------------------------
Rule: Ensure unused roles are removed
 - 1 Resources Exposed:
-----------------------------------------------
   - Exposed Resource: [aws_iam_role.role] (main.tf:5)
     Violating Resource: [aws_iam_role.role]  (main.tf:5)

     Evidence:
             | The IAM Role aws_iam_role.role has not been used for at least 90 days

To use this new capability, you just need to signup for Cloudrail for free and begin using the tool with your Terraform code. No other steps are necessary. Cloudrail will automatically detect the IAM roles you’re using and cross them with the AWS “last activity” information.

Related Article  Securing your Cloud Deployment with Guardrails

For more examples, see the specific directory for access analyzer in the cloudrail-demo repository.