loading...
Cover image for Action Hero to the rescue! Creating least privilege AWS IAM policies

Action Hero to the rescue! Creating least privilege AWS IAM policies

prince_of_pasta profile image Anthony Barbieri ・2 min read

As developers start to build services and application, many will begin to use infrastructure as code tools such as Terraform, the serverless framework, SAM, or the CDK. All of these tools use the AWS SDK to make various API calls to AWS accounts.

As the developer starts iterating on the needed configuration they usually begin with a highly privileged identity. This allows them to rapidly spin up the necessary resource without hitting permission road blocks.

When starting to create a more limited set of permissions to follow the principle of least privilege, things become a lot more painful. Starting with zero permissions a developer has to guess at what API calls are being made by the tool behind the scenes.

Enter Action Hero! By using a feature of the AWS SDK called Client Side Monitoring, Action hero is able to display the API calls being made by the developer's tool of choice.

You can find the latest version of action hero here

Once you've downloaded the release you can use tar or another archiving tool to extract it. On Linux and Mac you may have to also run chmod +x <path to actionhero> to allow it to be executed.

Once extracted, you can run the executable. You should see something similar to the screenshot below

Alt Text

In another tab, we'll enable Client Side Monitoring (CSM) by exporting an environment variable (The set executable can be used on windows). The CSM feature is not enabled by default.

Alt Text

Finally we can use a tool which leverages the AWS SDK. This assumes you already have valid credentials for an AWS Account. Please see the documentation if you need assistance.

In this screenshot I've run the aws s3 ls command which uses the AWS CLI to list the buckets in my account.

Alt Text

If we switch back to action hero's tab we can see the API call that occurred.

Alt Text

Finally you can press Ctrl+C to exit action hero.

I hope you find action hero useful as you build on AWS and create least privilege identities!

Discussion

pic
Editor guide