DEV Community


Posted on

Awesome AWS Tools - Identity & Access

Security is built into the core of AWS cloud. AWS offers foundational services like IAM, KMS, Cognito, GuardDuty, Inspector, Macie and many more, to help you meet security requirements in the cloud. In addition, AWS provides a number of tools that can further help you improve security posture and operate confidently on the cloud.

Here, I have discussed the tools very briefly; the idea is to make the audience aware of these tools so that they can benefit from it. For greater details, you may dive deep on the official AWS pages.

In this post we will look at the following AWS tools from the Identity & Access domain:

  • AWS Policy Generator
  • IAM Policy Simulator
  • Web Identity Federation Playground
  • Access Advisor
  • IAM Access Analyzer
  • Access analyzer for S3

AWS Policy Generator

The AWS Policy Generator is a tool that helps you create policies that control access to AWS resources. You can create policy documents for different types of policies like IAM policy, S3 Bucket policy, SQS Queue policy, SNS Topic policy and VPC Endpoint policy. The process is quite simple - you first select a policy type, then add permission for an AWS service and finally click Generate Policy button to get a JSON policy document. The Policy Generator tool is kind of similar to the Visual Editor in AWS console that allows you to create and edit a policy.

You can access the AWS Policy Generator using the link here:

IAM Policy Simulator

AWS provides you with a Policy Simulator tool that helps you test and troubleshoot policies in your AWS environment. The tool makes it easier for you to test the effects of policies before deploying them into production. You can quickly author new policies or test existing ones without struggling with Access Denied errors. You simply select an IAM entity (user, group or role), choose the policy that you want to evaluate, select an action to simulate, and click the Run Simulation button to see the result.

You can access the AWS Policy Simulator using the link here (you need to be signed-in to your AWS account):

Web Identity Federation Playground

Web identity federation basically allows you to access AWS services using a web identity provider such as Amazon, Google or Facebook. To see how it works, look at Web Identity Federation Playground from AWS. This tool lets you explore three key steps of web identity federation. First, you authenticate with an identity provider (Amazon, Google or Facebook). Second, you obtain temporary security credentials. Lastly, you make calls to AWS resources using the obtained credentials. You can see the request and response on the page while you perform the given steps.

You can access the Web Identity Federation Playground using the link here:

Access Advisor

Access Advisor gives you information on policies that were last accessed by an IAM entity (users, groups, roles and policies). Access Advisor, in the IAM console, shows the services that an IAM identity can access and when those services were last accessed. You can review this data to revoke unused permissions. This helps you to adhere to the principle of least privilege.

IAM Access Analyzer

IAM Access Analyzer is a tool that monitors access to your AWS resources. This AWS tool basically provides you three key capabilities: First, it helps you identify resources that are shared with an external entity. Second, it helps validate IAM policies against policy grammar and best practices. You can see Access Analyzer in action while creating or editing a policy in IAM console, where you can view policy validation check findings that include security warnings, errors and suggestions for your policy. Third, it can generate IAM policies based on access activity by an IAM entity (user or role) in AWS CloudTrail logs. You can see this in the "Generate policy based on CloudTrail events" section on the Permissions tab of an IAM user or an IAM role.

AWS IAM Access Analyzer is powered by Zelkova, which is another AWS tool that uses automated reasoning to analyze policies. You can read more about Zelkova here.

Access analyzer for S3

Access analyzer for S3 is a tool from AWS that helps organizations minimize the risk of S3 bucket data leaks. This AWS tool alerts you to S3 buckets on two critical security risks: 1) Buckets with public access (those buckets that can be accessed by anyone on the internet) and 2) Buckets with access from other AWS accounts (those buckets that are conditionally shared with other AWS accounts).

You can even preview and validate access to your S3 bucket before deploying your policy. This helps you validate public and cross-account access to your bucket before you save your policy. To preview access, in the S3 console, open the Edit bucket policy page and draft a policy. Under Preview external access, choose an existing account analyzer and then click on Preview button. Access Analyzer generates a preview of findings for access to your bucket.

Closing Thoughts

Go check out these cool AWS tools today and run your solutions securely on the cloud!

Top comments (0)