Visualize Access Paths within AWS using "FSecure’s awspx"
awspx is an opensource tool developed by FSecure, which analyses access paths within AWS and help to visualize access control relationships and discover potential attack paths between AWS resources.
Configuring and managing AWS environment for least privilege access is really hard, because of multitude of services, policies, roles and actions and their delicate balance to be struck of usability, maintainability and security.
A visualization tool like awspx can help grasp what's actually going on in your AWS environment and provide valuable insight into your infrastructure; allowing you to make important access control decisions.
In order to run awspx, you need authenticated access to an AWS environment, so it isn't really an offensive utility. However, it's a great tool for whitebox testing and developing an understanding of AWS, especially in the context of your organization.
Whatever services you need access to, you can implement appropriate permissions to ensure least privilege.
For example, if you need to start or stop EC2 instances, just have the ec2:RebootInstances, ec2:StartInstances and ec2:StopInstances actions in a custom policy, rather than use the built-in AmazonEC2FullAccess policy.
Wildcard permissions are particularly dangerous as it's easy to accidentally give more permissions than necessary. Similarly, using default policies can be misleading and doesn't necessarily mean the access you may think.
For example, the CloudWatchFullAccess policy actually gives complete access (sns:*) over the SNS service for all resources, which may be overkill for your use case.
You could memorise the default policies and their actions, but there are far too many. Instead, it's better to analyze the actions and gauge whether the access is appropriate. Using custom policies can help to truly implement least privilege access control within your organization.
awspx can be installed on either Linux or macOS. In each case Docker is required.
Clone this repo
git clone https://github.com/FSecureLABS/awspx.git
Run the INSTALL script
cd awspx && ./INSTALL
awspx consists of two main components: the ingestor, which collects AWS account data; and the web interface, which allows you to explore it.
Run the ingestor against an account of your choosing. You will be prompted for AWS credentials.
Browse to the web interface — http://localhostipaddress to access the awspx UI
After data ingestion, when you navigate to the web interface, you can search for specific resources (like S3 buckets, IAM users, and IAM policies)
Here you can query the nodes for paths and actions between specific resources to visualize any relationships or attack paths.
You can toggle between:
Paths-based and actions-based search: showing the relationship between resources and the actions allowed between resources
Direct and Effective search: showing whether possible attack and escalation paths are shown
You can add filters, limit results and also control HOPS to get to the precise data visualization of your AWS environment.
Every user/resource has 5 access attributes – inbound paths, outbound paths, actions, inbound actions and outbound actions. Provides a detailed access visualization.
Inbound paths The inbound paths show what other resources can get to this resource.
Outbound paths Outbound paths show what other items a resource can reach. This can be useful for understanding the impact of a misconfigured resource, as well as understanding the potential paths for escalation.
Actions Actions underpin cloud access control, yet terminology may change slightly depending on the provider. In AWS, they are fundamental for resource permissions.
They typically follow the format Service:VerbResource.
For example, s3:GetBucket or s3:DeleteObject.
You can view actions in awspx to understand what actions can be executed to and from the chosen resource.
Inbound actions The inbound action gives a fantastic insight into tangible interactions with a resource. It clearly links the relationships between resources with a comprehensive drill-down feature, allowing you to see exactly what actions are allowed or explicitly denied.
The inbound actions provide a powerful visualization of valuable information – something that cloud providers are missing natively.
Outbound actions show what actions this resource has on other resources. Again, this is an incredibly useful insight to visualize the impact and effect the chosen resource has.
Doing this on policies can help visualize and understand their impact.
By default, the Neo4j database is available at http://localhost:7474.
Neo4j is an open-source, NoSQL, native graph database that provides an ACID-compliant transactional backend for your applications.
awspx not only helps you to visualize access controls for any size of AWS environment, but also draws access relationships and unwanted access paths to other AWS resources. This helps you to establish decision-based access control and achieve least privilege access model.
On the other hand, awspx can be used as interactive access audit tool.