Profile Applicability:
Level 1
Description:
In AWS Batch, roles are used to grant permissions to interact with other AWS services. To prevent "confused deputy" security issues, it's crucial to configure roles properly to ensure that Batch jobs can only access resources that are explicitly required for their execution. Cross-service confused deputy prevention ensures that AWS Batch roles are tightly scoped and adhere to the principle of least privilege, minimizing the potential for privilege escalation or unintended access to other services.
Rationale:
Configuring Batch roles for cross-service confused deputy prevention ensures that:
AWS Batch jobs have only the permissions they need to execute, reducing the risk of unauthorized access to other AWS resources.
The IAM role attached to AWS Batch jobs is scoped to specific actions and resources, minimizing the attack surface.
AWS services are properly isolated from each other, maintaining security best practices.
Default Value:
By default, AWS Batch roles may not be explicitly configured with the necessary restrictions to prevent cross-service confused deputy attacks. Manual configuration is needed to scope roles appropriately.
Impact:
Pros:
Improved security by preventing over-permissioned roles that could be exploited.
Better compliance with the least privilege principle.
Reduced risk of unauthorized service access and potential escalation of privileges.
Cons:
Requires careful planning to ensure that only the necessary permissions are granted to Batch jobs.
Misconfiguration may cause Batch jobs to fail due to insufficient permissions.
Remediation:
Test Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
Navigate to IAM under Security, Identity & Compliance.
Go to the Roles section and locate the IAM role that is used by your AWS Batch jobs.
Review the attached policies to ensure that the role only has permissions necessary for the Batch job to interact with specific services (e.g., S3, DynamoDB, etc.).
If the role has unnecessary permissions, modify the policies to restrict access and avoid the "confused deputy" issue.
Attach a policy using the least privilege principle, ensuring that the role only has permissions to perform actions required for the Batch job.
Using AWS CLI:
Run the following command to describe the IAM role used by the AWS Batch job:
aws iam get-role --role-name <role-name>
Review the permissions attached to the role and ensure that they only allow the Batch job to perform actions on specific services and resources.
If needed, modify the role’s policies to adhere to the least privilege principle:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://policy.json
Implementation Plan:
Using AWS Console:
Log in to the AWS Console at AWS Console.
Navigate to IAM and review the Roles section to verify the permissions granted to the Batch job role.
Modify or create new IAM policies to ensure the Batch role only has permissions for required resources.
Attach the appropriate policy to the Batch role to prevent cross-service confused deputy issues.
Using AWS CLI:
Create or modify IAM policies for the AWS Batch role by ensuring it is scoped to the necessary permissions.
2. Run the following command to attach the modified policy:
aws iam put-role-policy --role-name <role-name> --policy-name <policy-name> --policy-document file://policy.json
Backout Plan:
Using AWS Console:
If the role is misconfigured, log in to the AWS Console.
Navigate to IAM and go to the Roles section.
Detach the problematic policy and reattach the previous version or adjust the role’s permissions as required.
Using AWS CLI:
If you need to revert changes, run the following command to detach the problematic policy:
aws iam delete-role-policy --role-name <role-name> --policy-name <policy-name>
Reattach the previous policy or create a new one with the correct permissions.
References
CIS Controls: