Upon the release of a recent security article (No keys attached: Exploring GitHub-to-AWS keyless authentication flaws), we immediately sprang into action to audit our environment. The article shed light on misconfigured Trust Policies that could potentially allow any GitHub repository to assume AWS roles meant exclusively for an organization's internal repository.
To our surprise, during our proactive audit, we detected an external security scan trying to assume an AWS role we had designated for GitHub Actions deployments. This was a wake-up call, emphasizing the importance of the article's findings.
Thankfully, our configuration was tight, restricting access only to our specific repositories:
Given our unique setup within an isolated AWS organization, we permit the * at the end to run functional tests against arbitrary branches. (For a deeper dive into this, check out this comprehensive guide from GitHub).
However, this incident made us realize the need to easily audit of all our role's Trust policies. With a vast number of accounts in an AWS organization, finding a straightforward first-party tool to search for “token.actions.githubusercontent.com:sub" and identify misconfigurations can be a challenge.
For those unfamiliar, IAMbic offers an easy solution for this. IAMbic bi-directionally syncs the IAM footprint of an AWS Organization (yes, even across multiple accounts) into readable YAML files in version control. We even showcase our entire test org AWS IAM configuration in a public example repository that IAMbic keeps up-to-date with any cloud IAM changes. This means we can effortlessly perform a code search on GitHub to pinpoint potential vulnerabilities.
Without an always-updated, searchable permission dataset, auditing our GitHub OIDC capable roles would be a daunting task. But with IAMbic, not only can we audit, but we can also harness its capabilities for a plethora of use cases, such as extensive search-and-replace operations that write back to the control plane.
If you're using GitHub OIDC capable roles and are struggling with audits, we can't recommend IAMbic enough. It's a radically different approach in capturing your IAM footprint continuously. Dive into IAMbic on Github and join our vibrant community on Slack to discover more.