IAM Safety

In this topic:

    Overview

    Dome9 IAM Safety protects AWS cloud accounts from access to AWS services by users, and requires that AWS (IAM) users to be explicitly granted permission from a Dome9 account administrator in order to access these services. This hardens the AWS account console and restricts users from making unauthorized or accidental changes to account settings without the knowledge and authorization of an administrator. Users can access the account to view settings without restrictions (based on their AWS permissions).

    IAM users who wish to access protected services must open an authorization window for themselves, using the Dome9 mobile app. This window is for a limited period of time. Further, all actions taken by an IAM user are logged, and appear in the Audit Trail.

    How it works

    Dome9 IAM Safety protects AWS services or specific actions for these services. To set up IAM Safety on Dome9, you configure a new Dome9 IAM policy on your AWS account (for example, Dome9-Restricted-Policy) with permissions to control AWS services. You then select the AWS services or actions that will be protected by Dome9 (actions or services that are not protected can be freely accessed by users, according to their AWS permissions). Then, you apply Dome9 protection to the AWS IAM users of the AWS account who require access to the protected services or actions on AWS. These users must install the Dome9 mobile app, pair it with their Dome9 account, and then use this app to grant temporary access to perform actions on protected AWS services.

    To perform an action on a protected service, the IAM user will use the mobile app to grant themselves temporary access. During this access time, the user can perform the action on the AWS service. When the time period has elapsed, access to the service reverts to be protected, and the user is blocked from performing actions. Each grant of access is one-time and time-limited (the duration is configured on the app).

     

    Considerations

    Dome9 recommends certain categories of actions and services to be protected by IAM Safety. These are grouped as Templates when you set up the IAM Safety, and cover Computing, Networking, Security & Identity, Storage, and Database actions. In addition, it is recommended to lock down services/actions that aren't taken very often and/or are irrevocable when they're done. For example, IAM, Route53, KMS, services, or actions such as changing S3 bucket permissions, deleting buckets, deleting EBS snapshots.

     

    What you need

    The user must install the Dome9 mobile app on their mobile device, and pair the device with their Dome9 account. The AWS account must be in Dome9 full protection operation mode (see Onboard an AWS Account, and the Dome9-Restrict-Policy must be configured on it.

     

    Protected vs Protected with Elevation

    You can protect a service in two ways.

    Protected - the user/role cannot perform protected actions on the AWS service under any circumstance. The user or role can only perform these actions if the admin user permanently removes the protection from it.

    Protected with Elevation - the user can grant themselves temporary access to perform protected actions the AWS service on the account, using the mobile app.

    Tamper protection

    IAM users or roles that are protected with IAM Safety are also protected against tampering. These users and roles are included in restricted groups or policies in AWS (as part of the way Dome9 implements the protection). Any attempt to remove a user or role from these groups or policies on the AWS console (and not through Dome9) will be detected by Dome9 (and logged in the Audit trail) and rolled back.

     
     

    Benefits

    • Reduce unauthorized or accidental access to AWS accounts to modify settings or entities

    • Control who can make changes to AWS accounts settings

    • Require an additional authorization factor (the mobile app on the user's mobile device) to grant access

    • Access permissions are temporary, and are automatically removed at the end of the authorization window

    • Full audit trail of access to sensitive services

    Use-cases

    • an AWS IAM user account needs to change settings on the AWS account or add/modify cloud entities associated with the account or its VPCs.

     
     

    Actions

    Add an AWS cloud account to be managed by Dome9 IAM Safety

    To set up your Dome9 account to manage IAM user access to an AWS account, you must configure a policy in the AWS account, to permit your Dome9 account to manage IAM users.

    1. Navigate to the IAM Safety main page, and click GET STARTED.

    2. Select the AWS services and actions to be managed by your Dome9 account from the list of services. The list of services expands, to show specific actions. Alternatively, select one or more templates (aggregate groups of services). After making your selections, click COPY TO CLIPBOARD, and then click NEXT.

    3. Follow the steps described in the next screen, to create a new policy and group on your AWS account, which permits your Dome9 account to manage AWS IAM users. Copy the Policy and Group ARNs from the AWS console, and paste them in the appropriate places on this screen, and then click NEXT.

      Note: carefully review the services and actions that you have selected for protection before proceeding to the next step. Once you have set up the policy for these services, there is no simple way to make changes to it.

    4. Select the AWS account to be managed by Dome9, and then click NEXT.

    5. Connect the IAM Safety policy with the account. Follow the on-screen instructions, and then click NEXT.

    6. Dome9 will connect to your AWS account, and attempt to assume control of the selected services. If this is successful, this message will appear.

     

    Protect an IAM User or Role

    After the AWS account has been configured to enable Dome9 IAM Safety, you must set protection for each of the account users.

    Note: until you apply protection to an IAM user, the user can access the protected AWS services without restriction. It is important to apply protection to all IAM users immediately after configuring Dome9 IAM Safety on the account.

    1. Navigate to the IAM Safety main page, and then select the IAM Users tab. This shows a list of the IAM (AWS) users of the AWS account. The protection status of each user is also shown (initially all are Not Protected).

    2. Click PROTECT next to a user to apply Dome9 IAM Safety protection to the user. This user will now be able to access protected AWS services on the AWS account only according to the protection you set.

    3. Select the type of protection to apply to the user, then click SAVE. Protected restricts the user from accessing protected AWS services. Protected With Elevation allows the IAM user to open an authorization window on the AWS account using the Dome9 mobile app. Select also a Dome9 user. This user must be paired with the mobile device and app (see Dome9 Mobile App). This ensures that only authorized users can open an authorization window.

    4. You can apply protection to IAM Roles in the same way. Select the IAM Roles tab.

    5. To protect all IAM users, click PROTECT ALL. This applies Protect type protection to all IAM users. To change the protection for any of these users, for example to Protect With Elevation, select and then Change Protection.

    6. To remove an IAM User (or Role) from protection, select opposite the User or Role, and then select . Similarly, to change the protection level (for example, from Protected to Protected With Elevation), select Change Protection.

     

    Invite (add) Dome9 users

    As a Dome9 account admin, you can invite other (regular) Dome9 users to install the Dome9 mobile app. They will use the mobile app to open authorization windows to the AWS account. You can invite users only after configuring your Dome9 account for IAM Safety.

    You only need to invite users who have Protect With Elevation protection. Users with Protect only protection cannot authorize access to the AWS account, and so do not need the mobile app.

    1. Navigate to the IAM Safety main page, and then select the Dome9 Users tab.

    2. Select a user in the list, and click INVITE USER. An email invitation will be sent to this Dome9 user, to become an IAM User.

    3. The recipient user should click on the link.

    4. The user should install the Dome9 mobile app (see Dome9 Mobile App).

    5. To remove a user from IAM Safety, click CANCEL INVITATION.

     

    Open an authorization window

    An AWS IAM user can open a temporary authorization window to access an AWS service, using the Dome9 mobile app. The IAM user must have the Dome9 mobile app installed, and paired to the Dome9 account (see Dome9 Mobile App), and this account and user must be have Protect With Elevation protection on the AWS account.

    1. Open the mobile app, and select IAM Safety from the main menu

    2. Tap on a Role or User in the list, to grant an authorization window to access the AWS service. The duration of the window will be indicated. The size of the authorization window can be configured in the Settings page of the app.