BEGIN:VCALENDAR VERSION:2.0 PRODID:Data::ICal 0.24 BEGIN:VEVENT DESCRIPTION: 'Title: Access Undenied on AWS - Troubleshooting AWS IAM Acc essDenied\n Errors\n When: Saturday\, Aug 13\, 14:20 - 14:50 PDT\n W here: Flamingo - Sunset-Scenic Ballroom (Cloud Village) - [1]Map\n\n Spe akerBio:Noam Dahan\n Noam Dahan is a Senior Security Researcher at Ermet ic with several\n years of experience in embedded security. He is a grad uate of the\n Talpiot program at the Israel Defense Forces and spent sev eral years\n in the 8200 Intelligence Corps. While this is his first tim e\n presenting at DEF CON\, it is not his first time in front of a crowd .\n Noam was a competitive debater and is a former World Debating\n Ch ampion.\n Twitter: [2]@NoamDahan\n\n Description:\n Access Undenied on AWS analyzes AWS CloudTrail AccessDenied events û\n it scans the envi ronment to identify and explain the reasons for which\n access was denie d. When the reason is an explicit deny statement\,\n AccessUndenied iden tifies the exact statement. When the reason is a\n missing allow stateme nt\, AccessUndenied offers a least-privilege\n policy that facilitates a ccess.\n\n IAM is a complex system in which permission information is di stributed\n among many sources and permission evaluation logic is comple x. The\n tool can help both defensive and offensive security teams with this\n challenge.\n\n For defenders. The need to facilitate access to teams annoyed or\n frustrated by access denied messages often breaks lea st-privilege and\n creates excessive permissions in the environment. Acc essUndenied gives\n a minimal least-privilege policy suggestion and prev ents this. Some\n users of the tool are even scaling their use by hookin g AccessUndenied\n to a Lambda that automatically handles AccessDenied m essages and sends\n them a slack notification with the tool's output.\n\ n For offensive teams. In AWS IAM\, a Deny statement trumps any allow.\n Therefore even after privilege escalation to admin\, certain actions\n can still be blocked. Offensive teams can use AccessUndenied to\n quic kly and effectively track down these explicit deny statements to\n then circumvent or remove them.\n\n Sometimes\, the new and more detailed Acc essDenied messages provided by\n AWS will be sufficient. However\, this is not always the case.\n\n Some AccessDenied messages do not provide de tails. Among the services\n with (many or exclusively) undetailed messag es are: S3\, SSO\, EFS\, EKS\,\n GuardDuty\, Batch\, SQS\, and many more .\n\n When the reason for AccessDenied is an explicit deny\, it can be\n difficult to track down and evaluate every relevant policy.\n\n When the explicit deny is in a service control policy (SCP)\, one has\n to fi nd every single policy in the organization that applies to the\n account .\n\n When the problem is a missing allow statement\, users still need t o\n define a least-privilege policy.\n\n Github: [3]https://github.com /ermetic/access-undenied-aws\n\n '\n\n 1. https://defcon.outel.org/con solidated_page.html#FlamingoThirdFloor\n 2. https://twitter.com/NoamDaha n\n 3. https://github.com/ermetic/access-undenied-aws\n\n\n DTEND:20220813T215000Z DTSTART:20220813T212000Z LOCATION:CLV - Flamingo - Sunset-Scenic Ballroom (Cloud Village) SUMMARY:Access Undenied on AWS - Troubleshooting AWS IAM AccessDenied Error s END:VEVENT END:VCALENDAR