Catch Me If You Can: How LocalStack’s Policy Stream Identifies Least Privilege IAM Policies

Nancy Chauhan &
10:05 min
May 23, 2024

In the world of cloud development, security is paramount. But generating IAM policies that grant the right level of access can be a challenge. Join Nancy as she unveils the power of LocalStack’s IAM Policy Stream. This feature acts like a guardian, dynamically generating least privilege IAM policies based on your application’s AWS API calls in real-time. Discover how the Policy Stream helps you:

Simplify IAM policy creation: Eliminate manual configuration and ensure your policies align precisely with your application’s needs.
Embrace the principle of least privilege: The Stream identifies the minimum permissions required, reducing attack surfaces and enhancing cloud security. *Streamline local development workflows: Gain valuable insights into your application’s IAM interactions, leading to faster development cycles.

This talk is an essential resource for developers who want to build secure and efficient cloud applications locally with LocalStack. Nancy will delve into the technical aspects of the Policy Stream, showcase practical use cases, and provide tips for leveraging it effectively in your development process.

Nancy Chauhan

Developer Advocate at LocalStack

Nancy is an Engineer and Developer Advocate at LocalStack. She likes hacking through software engineering problems. She is a CNCF Ambassador & AWS Community Builder. She has taken the initiative to establish the “Women in Cloud Native Community” to encourage diversity and participation. Nancy recently organized the first cloud-native sustainability mini-conference in India, bringing together folks and initiating discussions on this crucial topic of Sustainability in Tech. In her free time, she loves creating illustrations and spending time with her cats. You can connect with me on LinkedIn or Twitter

Transcript

Nancy Chauhan 0:11
Hey everyone. This is Nancy Chauhan, and I’m super excited for more serverless 2024 thank you so much for inviting me today. I’m going to talk on Catch Me If You Can how LocalStack policy stream identifies least privileged IAM policies. So let’s get started. Awesome. So here we are. Who am I? I’m a DevRel engineer at LocalStack, CNF ambassador, AWS community builder. I’ve also founded women in cloud native community. For all those women who are interested in cloud native space, you can find me on my Twitter account, or you can check out my website. And the most interesting part, I love cats and traveling. So let’s begin. First of all, I’m going to talk about IAM permissions, IAM policies for all those who are new to this. So IAM is a AWS service for managing both authentication and authorization in determining who can access which resource in your AWS account. So as you can see my diagram, there are two parts to it, which is identities and permissions. Now identities refer to various mechanism that AWS provides to identify who is requesting a particular AWS action for authenticating that person or entity. So this includes Iam users and groups and credentials and roles. Now with this, AWS evaluates, with the help of policies, that when a user makes a request, if it’s given a permission or not so permission in the policies determine whether the request is allowed or denied. Now let’s see a quick example for this, as you can see on my screen, for example, if you have a EC two instance that needs to access a simple s3 bucket to get configuration data, you should only allow read access to the specific s3 bucket that contain the relevant data. And you can achieve this with the help of IAM policies, but it follows I am least privilege, which is like the principle of granting only the permission required to complete a task. So it’s one of the AWS well architected best practices that can help you build securely in the cloud. So here is a policy I’ve been talking all about policy, but this is how it looks. So IAM policy is a JSON document, as you can see, that defines permissions to control what actions are allowed or denied for specific AWS resources. As you can see we did in the previous slide, it allows you to manage access to resources by specifying which action can be performed on which resource following the principle of police privilege. So finally, let’s talk about shift left in testing and security, one of my best topic. So shift left approach in general, aims to integrate security measures early in the development life cycle, which enables developers to identify and mitigate those vulnerabilities before they actually reach production. So one of them is testing the IAM policies locally, using LocalStack to verify that your application access controls are properly configured or not. So by default, the IAM access controls are usually checked when the app is deployed on the cloud. However, using LocalStack, we can create and test the IAM policies very early in the development cycle. So moving next, what exactly is LocalStack? We did talk about LocalStack that it can really help you in early in the stage, early in the in your software development cycle. But what exactly is LocalStack? So LocalStack is a fully functional cloud stack where you can develop your AWS cloud apps locally. You do not need AWS account to basically test your AWS cloud applications. So what you really need to do is you need to ship a Docker image, which is easy to install and startup. So LocalStack is going to work as a Docker image, and it supports more than 100 plus AWS APIs and growing. It has compute lambda, ECS, Eks, various databases, DynamoDB, rds for messaging, SQS, and there are some other sophisticated APIs like Athena and glue. So this is all about LocalStack. Let’s quickly see easy to hello world. So over here I am creating a bucket, and LocalStack is running as a Docker image, so it’s able to do that. I’m also able to create the user im users, and then I’m also able to list the users. So this is happening with LocalStack. LocalStack is running parallelly as a Docker image. So let’s finally discuss IAM policy stream, which is the main topic of the lightning talk. So IAM policy stream is a feature which is provided by LocalStack. It generates a steady stream of policies. Along with the corresponding principles or resources. So when a user makes a request, it initially displays the principle or resource to which the policy is will be attached. Now this is typically a service resource for resource based policies, or an IAM principle for other cases, it displays the suggested policy, which we are going to see later in this demo. This feature basically aids in identifying the correct permissions for cloud application, and it can help you support logical errors. So one catches here that, by default, local stack is a permit all system, which is like no im restrictions. Now this is going to help you to find the right sized im policies, which we are going to see later. It also supports I am enforcement. That means when you start LocalStack as a Docker image, you have to put a flag in post I am equal to one which allows for a more seamless transition into real AWS or production type of environment. So yeah, so let’s see quick demo. Okay, so over here, my LocalStack image is already running over here, and I’m just going to create some resources, like I’m going to create a bucket and one SQS. So yeah, as you can see, the bucket has been created. Now I’m going to quickly move to our web app. So as you can see, our web app here, which is app, dot, LocalStack, dot cloud. You can do the same in CLI, but I’m just showing you in the web app because it’s more neat. So I you can see over here I am policy stream. I so when I basically did all those commands, it created the policies for SQS and create bucket. So as you can see, these are resource identity based policy which have been created when I created those resources locally using LocalStack. Awesome. So now we have discussed about the IAM policies. We have also seen that how it is generated on LocalStack web app. Now let’s move to a complex architecture, because that’s how things work in the real world. So as you can see my screen here, we have an architecture of serverless image resizer with a lot of buckets, lambdas, SQS, SNS. So in this application, a simple front end application facilitates the Image Uploads, and there’s a separate lambda generates pre signed URLs for direct upload and file uploads to this bucket triggers a Python lambda that handles image resizing, and then we have another lambdas to handle other use cases. So you can find this application on our GitHub in LocalStack samples. So I’m not going to show you the code, because we are just concerned about the IAM policies here. So what we are going to learn is that, how we right size the IAM policies with LocalStack IAM policy stream. So in this tutorial, we’ll dive into deploying a web app. We’ll assume, we’ll we’ll assume that the web app is already running, and I’m going to put in post Iam equal to one when I start my LocalStack to mimic a real world environment. So now let’s move to my terminal. So I already have this application in my in my environment. I already have sample serverless image resizer. You can also clone this from GitHub. Now what I’m going to do is there’s a there’s a deploy.sh script which basically deploys all the resources and everything. So I’m just going to run this. Now. What’s happening parallely is that LocalStack is running with the flag in post I am equal to one. So as you can see the error message, it says the rule defined for the function cannot be assumed by lambda. This means that this has got no permissions, as it happens in the real world. But now let’s move to IAM policy stream web app. So when I was doing this, it created all the it created the policies. It’s creating policies for all the actions. So this is what I’m trying to say. As you can see, it has created policies for lambda, list, function, URL, configs. It’s getting for get, dot, get function. Now what you can do after this is that you can leverage these policies to basically include into your TerraForm files. You can also check that which policies you want to include and what roles and permissions you can give you want to give. So this is how you can basically leverage this feature to create the policies in your TerraForm files, or you can use to test the security. So I hope you enjoyed this demo. So conclusion is that LocalStack IAM create the setup that resembles the live AWS as we have seen, and you can write and debug your policies locally and also in collaboration with Cloud port feature, Iam live policy stream generate policies for all the API calls which you have already seen. So this is the conclusion for the lightning talk today. I hope you really enjoyed it. If you have any questions, you can join us like community, which is LocalStack, dot, cloud, slash slack. Or if you want to get in touch with me, or have any questions for me, you can reach out to me on any of the social. Media, thank you so much. Bye.

Software Engineering

More Awesome Sessions

SESSION

Building a Domain Specific, GenAI Chatbot with Serverless

Moar Serverless will give you all the information you need to take advantage of serverless in your application development including new AI and edge capabilities.

SESSION

So We Created a New AWS SDK

Moar Serverless will give you all the information you need to take advantage of serverless in your application development including new AI and edge capabilities.

SESSION

Adding Serverless Content Moderation to Your Application with Only 3 Simple AWS Tools

Moar Serverless will give you all the information you need to take advantage of serverless in your application development including new AI and edge capabilities.