Automating AWS IAM remediation in Python

Click for: original source

Since automating IAM remediation requires recurring parsing of JSON documents, modulating your parsing function(s) will save you time as you work on each control. If you have controls that pertain to trust policies, you will need a separate function to parse those out since the format differs from that of permission policies. By Cody Bench.

Automating IAM policy remediation is no walk in the park. A development team must:

  • Identify the controls to be remediate
  • Build a program that pulls down and parses out the roles and policie
  • Validate the permission and trust policies against the necessary control
  • Perform the required remediation - which may include checking action history
  • Rebuild the JSON document
  • Deploy the remediated artifacts per your company’s or client’s workflow

Having any way to access the historical data for the roles and/or policies you are remediating is a huge win when implementing least privilege. A stakeholder will need to decide the cutoff for the last time an action was used or a resource was accessed, whether that be a few months or a year prior to remediation. Excellent read!

[Read More]

Tags python app-development infosec programming cio