AirIAM
AirIAM is an AWS IAM to least privilege the Terraform execution framework. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method.
AirIAM was created to promote immutable and version-controlled IAM management to replace today’s manual and error-prone methods.
AirIAM scans existing IAM usage patterns and provides a simple method to migrate IAM configurations into a rightsized Terraform plan. It identifies unused users, roles, groups, policies, and policy attachments and replaces them with a Least Privileges Terraform code modeled to manage AWS IAM.
By moving all IAM configurations into Terraform code, admins can start tracking, auditing, and modifying IAM configurations as part of their standard infrastructure-as-code development provisioning processes.
AirIAM is battle-tested and is recommended for use in Dev, QA, and test environments that have been previously managed by humans. It is designed to result in minimal impact on existing workloads.
If you are interested in migrating a Prod account, contact us at info@bridgecrew.io for some helpful tips.
Features
- Detects unused IAM resources using native AWS and Amazon Access Advisor APIs.
- Provides scripts to remove unused entities en-masse.
- Effortless migration of existing IAM configurations into a simple Least Privileges Terraform model.
- Integrates with Checkov, a static code analysis tool for Terraform, to track unwanted configuration changes and configuration drift.
Commands
- find_unused – Detects unused users, roles, groups, policies, and policy attachments. It also adds links to automation scripts that could remove these entities entirely using Bridgecrew Community. Learn more about these scripts and automation.
- recommend_groups – Identifies what permissions are in use and creates 3 generalized groups according to that usage. Supported groups:
- Admins – Users who have the AdministratorAccess policy attached. It will be added to the admins group which will have the managed policy arn:aws:iam::aws:policy/AdministratorAccess attached.
- PowerUsers – Users who have to write access to any of the services. In case of more than 10 policies being attached to that group, a number of groups will be created for PowerUsers, and the relevant users will be members of all of them.
- ReadOnly – Users who only have read access to the account. Will be members of the readonly group which will have the managed policy arn:aws:iam::aws:policy/ReadOnlyAccess attached.
- terraform – Creates Terraform files based on the outputs and the transformations applied by the optional arguments supplied.Important notes for terraform command:a. AirIAM replaces all hardcoded values with the matching terraform references, which results in replacements of all group memberships and policy attachments. If this is run using a user, please make sure the user has the relevant privileges directly attached. A matching warning will be displayed if relevant.c. AirIAM tags all the resources it touched so it will be easy to identify the entities which are not managed through AirIAM. This results in terraform modifying the relevant entities by adding these tags.d. By default, AirIAM will import the currently existing IAM entities and their relationships, which might take a while depending on the number of configurations.
Data Flow
Install && Use
Copyright 2019 Bridgecrew
