August 10, 2023
IAM
Steven Moy

The Hidden Danger of GitHub OIDC and How to Protect Your AWS Roles

Concerned about potential IAM role vulnerabilities from misconfigured trust policies? Identify them easily with IAMbic.

Upon the release of a recent security article (No keys attached: Exploring GitHub-to-AWS keyless authentication flaws), we immediately sprang into action to audit our environment. The article shed light on misconfigured Trust Policies that could potentially allow any GitHub repository to assume AWS roles meant exclusively for an organization's internal repository.

To our surprise, during our proactive audit, we detected an external security scan trying to assume an AWS role we had designated for GitHub Actions deployments. This was a wake-up call, emphasizing the importance of the article's findings.

Thankfully, our configuration was tight, restricting access only to our specific repositories:


"StringLike": {  
    "token.actions.githubusercontent.com:sub": "repo:noqdev/iambic:*"
 }

Given our unique setup within an isolated AWS organization, we permit the * at the end to run functional tests against arbitrary branches. (For a deeper dive into this, check out this comprehensive guide from GitHub).

However, this incident made us realize the need to easily audit of all our role's Trust policies. With a vast number of accounts in an AWS organization, finding a straightforward first-party tool to search for “token.actions.githubusercontent.com:sub" and identify misconfigurations can be a challenge.

For those unfamiliar, IAMbic offers an easy solution for this. IAMbic bi-directionally syncs the IAM footprint of an AWS Organization (yes, even across multiple accounts) into readable YAML files in version control.  We even showcase our entire test org AWS IAM configuration in a public example repository that IAMbic keeps up-to-date with any cloud IAM changes. This means we can effortlessly perform a code search on GitHub to pinpoint potential vulnerabilities.

Without an always-updated, searchable permission dataset, auditing our GitHub OIDC capable roles would be a daunting task. But with IAMbic, not only can we audit, but we can also harness its capabilities for a plethora of use cases, such as extensive search-and-replace operations that write back to the control plane.

If you're using GitHub OIDC capable roles and are struggling with audits, we can't recommend IAMbic enough. It's a radically different approach in capturing your IAM footprint continuously. Dive into IAMbic on Github and join our vibrant community on Slack to discover more.

Steven Moy

Founding Engineer
linkedin twittergithub

Latest articles

browse all posts
IAM
May 30, 2023

SCPs: Protecting Your AWS Environment (and your job)

IAMbic, the open-source tool for managing distributed IAM permissions, has expanded its support to include AWS compliance guardrails through Service Control Policies (SCPs). SCPs provide policy governance in AWS, acting as a protective barrier for AWS resources. Users can now efficiently track changes, rollback between different IAM versions, and automatically correct out-of-band changes for important resources. Additionally, IAMbic supports a GitOps workflow, allowing you to implement IAM and SCP changes via PR reviews for improved governance. Continue reading for examples of SCPs, and practical guidance on applying them safely.

Curtis Castrapel
read more
IAM
May 16, 2023

Tailor AWS Identity Center (SSO) Permissions Per Account with IAMbic

In this post, we’ll use IAMbic to create an AWS SSO permission set with different permissions per account while preventing drift. The end result? Manage your AWS SSO permission sets alongside the rest of your IAM with IAMbic, and tailor both access and fine-grained cloud permissions.

Curtis Castrapel
read more
IAM
May 3, 2023

AWS Permission Bouncers: Letting Loose in Dev, Keeping it Tight in Prod

Ever had a slight configuration change take down production services? Wish you could give teams more AWS permissions in dev/test accounts, but less in production? Right sizing IAM policies for each team and account can be a tedious task, especially as your environment grows. In this post, we’ll explore how IAMbic brings order to multi-account AWS IAM chaos.

Curtis Castrapel
read more

The First IAM Ops Platform for AWS

Learn More

Interested in Noq?

Get in touch with our team to learn more!

Book A Demo
Get Early Access

Automating IAMOps
for AWS

hello@noq.dev
for job inquiries

© 2022 All Rights Reserved Noq Software, Inc. | Privacy Policy | Term & Conditions

HomeCompanyCareersContact
twittergithub
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
 Deny Accept