Simplify Aws Developer Security With Leapp

Security Is Necessary Work

Security can add overhead, get in the way, complicate development, generally can cause challenges to development efforts. The balance of security and usability is one that all development organizations have to deal with.

I could be ultra-secure by requiring carrier pigeon multi-factor authentication for my team, but I’m not sure that would be well received.

https://d33wubrfki0l68.cloudfront.net/6a192906191847da6ea5adc6e0462a52b0cf8e5e/15376/images/2021-06-28-1615-diagram-security-steps.png
security steps can be painful

It’s also critical and the responsibility of each developer, not just the security team.

Let’s take a few simple examples where a local developer can compromise security in AWS by simply taking an easy path.

  • Builds a docker container and uploads to Docker Hub, for a generic tool, but includes embedded AWS credentials for a linter in it.
  • Uses IAM long-lived keys to use a tool to generate infrastructure as code and commits these to the repository due to not excluding the .env file in the .gitignore.
  • Uses IAM access keys that are highly privileged as the easy path (over narrowing permission scope), puts these in a vendor site that integrates with AWS, and forgets about it. Vendor has data compromised and the AWS keys are exposed.

There are so many ways that using long-lived IAM credentials can be abused.

Assume Roles

It’s recommended to use Role Assumption instead of IAM Access keys when possible.

This means all the tooling will leverage AWS Security Token Service and use short-lived ephemeral scoped credentials.

This limits both the blast radius and time of any compromise.

Security As The Path Of Least Resistance

The problem with this path, is one of effort.

  • If using AWS SSO: You’d have to
    • login to your portal
    • open target account section
    • get programmatic credentials for the account
    • paste them into your ~/.aws/credentials file
  • If not using SSO, you’d have to use the CLI or appropriate sdk to generate your credentials on demand and then set.

The key is that all of these approaches aren’t easy as the default.

It’s easier to just use an IAM key and move on rather than battle with cli, sdks, and other options.

Tools like aws-vault are fantastic in helping with this, but aren’t intuitive, work the same way in different platforms, and overall still provide a barrier to making it the easiest path.

Leapp

🚀 Leapp - One step away from your Cloud

https://d33wubrfki0l68.cloudfront.net/8d7559c1bc7571480d9b86be80da4e19f927f876/d0428/images/2021-06-28-14.50.53-leapp.png
leapp ui

I came across this app by chance back in March when I was just starting at my new job at $Work and was looking for a tool to help simplify things over aws-vault. Since I was benefiting from AWS SSO, I was looking for a way to simplify switching roles with SSO, while still maintaining compatibility with the lowest common denominator of the lowly ~/.aws/credentials file that I knew worked with Terraform, PowerShell, and other tools equally.

The result? Shipped code on day 3!

What It Provides

Leapp allows the path of least resistance to best practices with AWS Credentials (as well as Azure). With AWS SSO, you get the benefit of the portal accounts automatically populated as well. Role assumption becomes the easy path.

How It Works

In my scenario, using AWS SSO provides a more complicated route that demonstrates the ease of use.

  • Open App
  • Click on Account & Role I want to assume, say “Dev Account - AWS Admininstrator”
  • Pop-up for SSO process using whatever SSO process is setup
  • Enter name and password
  • Enter MFA
  • Auth dialogue proceeds to confirmation screen of signing in CLI

https://d33wubrfki0l68.cloudfront.net/5738d811feb177e9a8fbbd793f35aef5c173a0a2/3eb38/images/2021-06-28-15.42.50-leapp-sso-cli.png
aws-cli-sso-confirmation

  • Done!

The result:

~/.aws/credentials has the [default] profile containing my STS credentials. This token rotates every n1 minutes producing ephemeral credentials.

https://d33wubrfki0l68.cloudfront.net/4f5d7bbae3d568a36023bee87751856eaeb3c158/10d41/images/2021-06-28-15.44.09-code.png
credentials file changed

Enhancements

Named Profiles

The 0.6.0 release that should be out by Jun 30th (I’m using pre-release preview) contained some nice enhancements to this.

In prior versions, [default] profile was just replaced with whatever account you selected.

Now, named profiles are supported as well, so you could have multiple assumed roles open at the same time for calling with named profiles.

SSM Sesssion Launcher

There’s a built-in session launcher, allowing searching of EC2 instances and the instance terminal launch of an aws ssm start-session command against the target.

https://d33wubrfki0l68.cloudfront.net/2c12c9665af296b09d2df56272bf0c7d3d7f36a2/40f50/images/2021-06-28-15.49.14-leapp-ssm-launcher.png
leapp aws ssm launcher

Future

The future for Leapp is an interesting question.

They are active in engaging for feedback, so this is built with actual user feedback, not in a bubble. I had an hour call with one of the developers talking about authentication approaches that helped me appreciate how much they want to engage their uses in a true Agile development pattern. Not only did I learn a bunch, but ended up being able to provide a few ideas for future consideration. Great discussion with @andreacavagna01. Give Andrea a follow on  twitter and  GitHub!

I can see a larger market than developers if a company rolled it out to users, as it would simplify access by analysts, developers, security team members, and others.

It’s not:

  • An “essential” service
  • “Necessary” in a strict sense, because things work fine without this tool.

Instead it offers:

  • A usability improvement to developers authentication workflow.
  • The easy path is a secure path

For this reason, I’m interested to see how adoption by enterprises and organizations will occur. I’ve observed that solving painpoints can both incentive a company if painful enough to adopt new approaches, but also bypass improvements as they aren’t “essential” and things already work, albeit unoptimally.

For me, I’m adding it to my AWS essentials, since now I can just focus on work without and improve my credentials handling without it intruding. I’ll continue recommending this to folks, and keep up with what improvements continue to be released from this team.

Keep up with the Leapp roadmap here: GitHub Leapp Roadmap

Resources

Resource
Access management for AWS resources - AWS Identity and Access Management
Resources to learn more about IAM - AWS Identity and Access Managemen
Using IAM roles - AWS Identity and Access Management

  1. I believe 10-20 right now ↩︎


Webmentions

Likes  (19) Reposts  (10) Comments • Replies   (3)
  1. Alessandro GaggiaAlessandro Gaggia 
    Thanks for your support and great article! 🚀🚀👊
  2. Andrea CavagnaAndrea Cavagna 
    great article! Thanks for your contribution to the project 🙌
  3. Andrea CavagnaAndrea Cavagna 
    Also soon a CLI option will be available, so a credential process through config file could be a thing of Leapp @ben11kehoe! Thanks for your thread