mozilla-aws-cli icon indicating copy to clipboard operation
mozilla-aws-cli copied to clipboard
verified publisher icon mozilla-iam

Add user access revocation support

Open gene1wood opened this issue 7 years ago • 1 comments

In the case where a user's access is revoked by the IdP, this tool should notice this and revoke the associated AWS rights.

Or maybe this should happen through another pathway not controlled on the users endpoint (e.g. an integration directly between the IdP and AWS that notices a revocation and actively invalidates outstanding STS credentials.)

https://hackmd.io/-gy2I9uKR_SS1Rdv6BnX8g?view

Selection_096

Session revocation document

{
    "groups": [
        "team_opsec",
        "team_hr"
    ],
    "time": "30 minutes ago",
    "action": "revoke"
}
  • groups : A list of group names
  • time : A datetime parseable by python dateparser
  • action : Either revoke or cleanup

Session Revoker Lambda Function Logic

  1. Parse session revocation document
  2. Fetch all IAM role in the AWS account
  3. Iterate over the trust policies for each policy associated with each IAM role
    • Check if the trust policy trusts the Mozilla federated identity provider. If it does not, move on to the next IAM role
    • Check the conditions to see if they contain any of the groups listed in the groups key of the session revocation document
    • If the trust policy does not contain any of the groups move on to the next IAM role
  4. Modify the role and add an inline policy which denies all actions (*:*) where the aws:TokenIssueTime is less than the time value in the session revocation document
  5. Create a CloudWatch/EventBridge Rule to clean up the deny policy
    • The name of the rule contains a GUID that the function generates
    • The time of the CloudWatch Rule's schedule expression should be duration of the maximum session length of an STS credential, in the future. So if the max STS session was 3 days, the schedule expression would be 3 days in the future
    • The CloudWatch Rule invokes the session revoker lambda function passing it a document like 
      {
    "groups": [
        "team_opsec",
        "team_hr"
    ],
    "rule_id": "the GUID generated",
    "action": "cleanup"
}

Session Revoker Lambda Function Clean Up Logic

When the session revoker lambda function runs with the cleanup action it does the following steps

Selection_097

  1. Fetch all IAM role in the AWS account
  2. Iterate over the inline policies for all the roles, checking if the policy is a revokation policy (contains a aws:TokenIssueTime condition and deny)
  3. Checks if the TokenIssueTime is older than the maximum STS session length, if so delete the inline policy, if not do nothing
  4. Finally the lambda function deletes the CloudWatch/EventBridge rule that triggered it using the GUID in rule_id to identify the correct rule

gene1wood avatar Dec 10 '18 18:12 gene1wood

Seems like good fodder for a cloudwatch event that periodically scans auth0 and revokes any outstanding tokens.

andrewkrug avatar Dec 10 '18 21:12 andrewkrug