Cloud Access and Permissions - SethBodine/audit-tools GitHub Wiki
Cloud Access and Permissions
AWS
- Create a Policy Group
IAM-Audit-Group - Assign the following Policies to
IAM-Audit-Group
arn:aws:iam::aws:policy/ReadOnlyAccess
arn:aws:iam::aws:policy/SecurityAudit
Optionally Create and assign the Custom Policy named IAM-Audit-MFASelfManage to allow MFA self registration
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": "iam:ListVirtualMFADevices",
"Resource": "*"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {"aws:MultiFactorAuthPresent": "false"}
}
}
]
}
- Create IAM identity and assign to Policy Group
IAM-Audit-Group - create an Access Key for the account for use in the CLI
Optionally Create and assign the Custom Policy named
IAM-Audit-ManageOwnAccessKeysto allow a user to self manage Access Keys
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:GetUser",
"iam:ListAccessKeys",
"iam:TagUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
}
]
}
- Enable MFA (Either managed during a session with an Admin, or directly if the optional Policy is granted).
Azure
Identity
The Default (or original tenant is an [tenantname].onmicrosoft.com suffixed) domain. Requesting an account against this domain, e.g. [email protected] limits the use of this account, and ensures that it is less likely to be confused with a valid User within the customers domain.
Entra ID (M365)
The following permissions should be assigned, current limitations as of August 2024 are included below
Security Reader
Global Reader
Azure Subscriptions
The following permissions should be assigned, current limitations as of August 2024 are included below
Reader
Security Reader
Built-in Role Limitations
Global Reader
- OneDrive admin center - OneDrive admin center does not support the Global Reader role
- Microsoft 365 Defender portal - Global Reader can't read SCC audit logs, do content search, or see Secure Score.
- Teams admin center - Global Reader cannot read Teams lifecycle, Analytics & reports, IP phone device management, and App catalog. For more information, see Use Microsoft Teams administrator roles to manage Teams.
- Privileged Access Management doesn't support the Global Reader role.
- Azure Information Protection - Global Reader is supported for central reporting only, and when your Microsoft Entra organization isn't on the unified labeling platform.
- SharePoint - Global Reader has read access to SharePoint Online PowerShell cmdlets and Read APIs.
- Power Platform admin center - Global Reader is not yet supported in the Power Platform admin center.
- Microsoft Purview doesn't support the Global Reader role.
Reader
The Reader Role grants read resources of all types, except secrets.
Power Portal/Apps
Note: It is not recommended that this be included unless extreme care is taken
- Power Platform Administrator
Dynamics 365
Note: It is not recommended that this be included unless extreme care is taken
- Dynamics 365 Administrator
SharePoint
Note: It is not recommended that this be included unless extreme care is taken
- SharePoint Administrator
Device Codes
It was noted that recent changes to Conditional Acces Policies as of Feburary 2024 Microsoft recommends disabling the use of Device Codes as per here article.
Google Cloud
- Create a new account against the Google Workspace.
- Assign Super Admin role to the account.
- Ensure that 2FA is configure at the initial login, this may be require a screen share session to scan a QR Code.
Oracle Cloud
- Create a new Group named
Audit-Group - Create a new Policy statement and assign it to
Audit-Group
allow group '`Audit-Group`' to read all-resources in tenancy
allow group '`Audit-Group`' to manage api-keys in tenancy where target.resource.id = request.user.id
- Create an identity (either in the a local auth domain, or a remote SSO platform) and assign to the group
Audit-Group - Login as the new account, and create an API Key pair and store the private key securely for use with the CLI client
Alibaba Cloud
Policy Based Configuration
-
Create a new Group named
Audit-Group -
Create a new Policy and assign it to
Audit-Groupwith the following json
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"*:Get*",
"*:Audit*",
"*:Describe*",
"*:Query*",
"*:List*"
],
"Resource": "*"
}
]
}
Role Based Configuration (may not be supported by tools)
TBC
Note: Ensure that this account is disabled as soon as the review is complete, and as there is a risk of changes being introduced, proceed with caution