Dan Pilch Blog

Personal and Professional blog

View My GitHub Profile

8 February 2021

AWS CSM - Figuring out what permissions your app really needs

by Dan Pilch

I know the feeling all too well, trying to find the right balance of IAM permissions without opening up your policy to ["ec2:*"]. Figuring out every permission your application requires can be an arduous process but there is a better way.

AWS Client Side Monitoring (CSM)

CSM enables sending metrics via UDP connection to a CSM agent. The agent could be anything, in this example I will use nc.

You can enable CSM with your SDK of choice with:

export AWS_CSM_ENABLED=true
export AWS_CSM_PORT=31000
export AWS_CSM_HOST=

Or by editing your ~/.aws/config file:

default_region = us-west-2
csm_enabled = true

You can use the awscli or with an SDK for example the go sdk

Once you’ve configured your sdk/cli, you can start nc listening on the default host and port:

nc -kluvw 0 31000

Now you can invoke an aws api call, I’ll use the awscli:

aws ec2 describe-instances

If we look at the nc in terminal:

  "Version": 1,
  "ClientId": "",
  "Type": "ApiCallAttempt",
  "Service": "EC2",
  "Api": "DescribeInstances",
  "Timestamp": 1612776146962,
  "AttemptLatency": 9206,
  "Fqdn": "ec2.us-west-2.amazonaws.com",
  "UserAgent": "aws-cli/1.18.155 Python/3.8.7 Darwin/19.6.0 botocore/1.18.14",
  "AccessKey": "",
  "Region": "us-west-2",
  "HttpStatusCode": 200,
  "XAmznRequestId": "08550f64-cd15-4dac-870e-3b5bd59a010b"

We’re interested in:

"Service": "EC2", "Api": "DescribeInstances"

From this we can surmise we require EC2:DescribeInstances.

Realtime IAM Policy Generation

I found a great application called iamlive which can build a policy in realtime from csm requests. Check it out!