Trend Micro Cloud One™ – Conformity Insufficient Access Permissions

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: High (not acceptable risk)
Rule ID: CC-003

Ensure that Amazon IAM policies created to grant access to the Conformity Bot on your behalf, provides all the permissions required to scan your AWS infrastructure in order to get the latest conformity rules, new features, and best practices. The Conformity Bot ingests meta-data from your AWS account and automates the task of ensuring that your cloud infrastructure remains reliable, scalable, efficient, and secure.

Operational
excellence

Trend Micro Cloud One™ – Conformity updates the IAM access policies used by the Conformity Bot as new conformity rules, features, and best practices are introduced. If the Conformity Bot does not have access to all the supported AWS cloud services and resources, it won't be able to highlight all the newest potential security risks, cost issues, performance or reliability inefficiencies.

Note: If required, you can allow individual AWS IAM actions to be excluded from the conformity rule check by adding them within the rule configuration settings, on the account console.


Audit

To determine if the IAM policies that grant access to the Conformity Bot provide all the necessary access permissions, perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account.

02 In the left navigation panel, under All Cloud Accounts, select the subscribed AWS account that you want to examine.

03 In the Summary section, choose Browse all checks… to access the list with the conformity rule checks performed by the Conformity Bot for your AWS account.

04 Select View by Rule tab, choose Filter checks, and type the name of the conformity rule, i.e. Trend Micro Cloud One™ – Conformity Insufficient Access Permissions, in the Rules search box, then press Enter.

05 Click on the returned conformity rule and check the Missing Action attribute value. If the Missing Action attribute lists one or more AWS actions, e.g. "dynamodb:ListBackups", the Amazon IAM policies created to grant access to the Conformity Bot are missing AWS actions, therefore the Conformity Bot has insufficient access permissions.

06 Repeat step no. 2 – 5 to check each AWS account registered with Trend Micro Cloud One™ – Conformity for insufficient access permissions.

Remediation / Resolution

To update the Amazon IAM policies created to grant access to the Conformity Bot in order to add any missing AWS actions, perform the following actions:

Using AWS Console

01 Sign in to the AWS account registered with Trend Micro Cloud One™ – Conformity.

02 Navigate to Amazon IAM console at https://console.aws.amazon.com/iam/.

03 In the left navigation panel, under Access management, choose Roles.

04 Search an Amazon IAM role named CloudConformity, and click on the role name (link) to access the associated IAM policies.

05 Select the Permissions tab and click on the CloudConformityPart1 or CloudConformityPart2 IAM policy, to access the IAM policy document (JSON format).

06 On the selected IAM policy configuration page, select the Permissions tab and choose Edit policy to edit the policy document.

07 Select the JSON tab and add the AWS missing action(s), for example "dynamodb:ListBackups", listed in the conformity rule settings under Missing Action, to the "Action" policy element within the selected IAM policy. Click Review policy and review the updated IAM policy.

08 Click Save changes to apply the IAM policy configuration changes. The Conformity Bot should now have access to all the supported AWS cloud services and resources.

09 Repeat steps no. 1 – 8 to update the Amazon IAM access policies for other AWS accounts registered with Trend Micro Cloud One™ – Conformity.

Using AWS CLI

01 Run get-policy command (OSX/Linux/UNIX) using the ARN of the IAM policy that grants access to the Conformity Bot on your behalf, named CloudConformityPart2, as identifier parameter, and custom query filters to describe the policy document version id. Replace ${aws-account-id} with the ID of your AWS account registered with Trend Micro Cloud One™ – Conformity:

aws iam get-policy \
  --policy-arn arn:aws:iam::${aws-account-id}:policy/CloudConformityPart2 \
  --query 'Policy.DefaultVersionId'

02 The command output should return the requested IAM policy document version id:

"v1"

03 Run get-policy-version command (OSX/Linux/UNIX) using the ARN of the IAM policy that grants access to the Conformity Bot on your behalf, named CloudConformityPart2, as identifier parameter, the version id returned by previous command, and custom query filters to describe the policy document in JSON format. Replace ${aws-account-id} with the ID of your AWS account registered with Trend Micro Cloud One™ – Conformity:

aws iam get-policy-version \
  --policy-arn arn:aws:iam::${aws-account-id}:policy/CloudConformityPart2 \
  --version-id v1 \
  --query 'PolicyVersion.Document'

04 The command output should return the requested IAM policy document:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "application-autoscaling:DescribeScalableTargets",
        "application-autoscaling:DescribeScalingActivities",
        "application-autoscaling:DescribeScalingPolicies",
        "application-autoscaling:DescribeScheduledActions",
        "athena:GetQueryExecution",
        "athena:ListQueryExecutions",
        "athena:ListTagsForResource",
        "backup:DescribeBackupVault",
        "backup:ListBackupVaults",
        "backup:GetBackupVaultAccessPolicy",
        "dax:DescribeClusters",
        "dax:ListTags",
        "dms:DescribeReplicationInstances",
        "dms:ListTagsForResource",
        "ds:DescribeDirectories",
        "ds:ListTagsForResource",

        ...

        "comprehend:ListKeyPhrasesDetectionJobs",
        "comprehend:ListSentimentDetectionJobs",
        "comprehend:ListTopicsDetectionJobs",
        "comprehend:ListEntitiesDetectionJobs",
        "comprehend:ListDocumentClassificationJobs",
        "comprehend:ListDominantLanguageDetectionJobs"
      ],
      "Resource": ["*"],
      "Effect": "Allow"
    },
    {
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": "arn:aws:s3:::elasticbeanstalk*",
      "Effect": "Allow"
    }
  ]
}

05 Update the IAM policy document returned at the previous step and add the missing action(s), e.g. "dynamodb:ListBackups", listed in the conformity rule settings under Missing Action, to the "Action" policy element within the selected policy. Once the missing actions are added, save the IAM policy to a JSON document named cloud-conformity-bot-policy.json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "application-autoscaling:DescribeScalableTargets",
        "application-autoscaling:DescribeScalingActivities",
        "application-autoscaling:DescribeScalingPolicies",
        "application-autoscaling:DescribeScheduledActions",
        "athena:GetQueryExecution",
        "athena:ListQueryExecutions",
        "athena:ListTagsForResource",
        "backup:DescribeBackupVault",
        "backup:ListBackupVaults",
        "backup:GetBackupVaultAccessPolicy",
        "dax:DescribeClusters",
        "dax:ListTags",
        "dms:DescribeReplicationInstances",
        "dms:ListTagsForResource",
        "dynamodb:ListBackups",
        "ds:DescribeDirectories",
        "ds:ListTagsForResource",

        ...

        "comprehend:ListKeyPhrasesDetectionJobs",
        "comprehend:ListSentimentDetectionJobs",
        "comprehend:ListTopicsDetectionJobs",
        "comprehend:ListEntitiesDetectionJobs",
        "comprehend:ListDocumentClassificationJobs",
        "comprehend:ListDominantLanguageDetectionJobs"
      ],
      "Resource": ["*"],
      "Effect": "Allow"
    },
    {
      "Action": ["s3:Get*", "s3:List*"],
      "Resource": "arn:aws:s3:::elasticbeanstalk*",
      "Effect": "Allow"
    }
  ]
}

06 Run create-policy-version command (OSX/Linux/UNIX) to create a new version of the CloudConformityPart2 IAM policy, an operative policy version that includes the missing AWS actions defined at the previous step. Replace ${aws-account-id} with the ID of your AWS account registered with Trend Micro Cloud One™ – Conformity:

aws iam create-policy-version \
  --policy-arn arn:aws:iam::${aws-account-id}:policy/CloudConformityPart2 \
  --set-as-default \
  --policy-document file://cloud-conformity-bot-policy.json

07 The command output should return the new IAM policy version metadata:

{
  "PolicyVersion": {
    "CreateDate": "2020-08-24T10:00:00Z",
    "VersionId": "v5",
    "IsDefaultVersion": true
  }
}

08 Repeat steps no. 1 – 7 to update the Amazon IAM access policies for other AWS accounts registered with Trend Micro Cloud One™ – Conformity.

References

Publication date Jan 11, 2021

Unlock the Remediation Steps


Gain free unlimited access
to our full Knowledge Base


Over 750 rules & best practices
for AWS and Azure

You are auditing:

Trend Micro Cloud One™ – Conformity Insufficient Access Permissions

Risk level: High