Skip to content

Instantly share code, notes, and snippets.

@kmcquade

kmcquade/task-list-concept-for-cloudsplaining.md

Last active August 30, 2020 14:34
Show Gist options
  • Save kmcquade/bd2f735b7980faa37b563bed6f718804 to your computer and use it in GitHub Desktop.
Save kmcquade/bd2f735b7980faa37b563bed6f718804 to your computer and use it in GitHub Desktop.
Download ZIP
task-list-concept-for-cloudsplaining.md
Raw
task-list-concept-for-cloudsplaining.md

I think we should target the "task list" concept for the user. So, instead of "IAM Principals", "IAM Roles", and "IAM Groups" at the bottom as cards - we should really have it be a list of the policies themselves that are failing. I am not quite sure the best way to represent this. I have an idea, but let me express these as JSON.

  • Data Exfiltration (collapsible and show count)
    • AWS Managed Policies (collapsible and show count)
    • Customer Managed Policies (collapsible and show count)
    • Inline Policies (collapsible and show count)
  • ... etc.
{
	"Data Exfiltration": {
		"AWS Managed Policies": {
			"arn:aws:iam::aws:policy/AWSLambdaFullAccess": "ANPAI6E2CYYMI4XI7AA5K"  # Use ANPAI6E2CYYMI4XI7AA5K as an href to the actual Policy details, since this is a unique ID
			"arn:aws:iam::aws:policy/CloudWatchFullAccess": "ANPAIKEABORKUXN6DEAZU"
		},
		"Customer Managed Policies" {},
		"Inline Policies": {
			"InlinePolicyForAdminGroup (attached to arn:aws:iam::012345678901:group/admin)": "0e1bd3995cfe6cfbbac133f1406839e6b415e5b5a412cd148ac78071d82e5b1b" # Use that SHA256 hash as an href to the actual Policy details, since this is a unique ID
		}
	},
	"Resource Exposure": {
		"AWS Managed Policies": {
			"arn:aws:iam::aws:policy/AWSLambdaFullAccess": "ANPAI6E2CYYMI4XI7AA5K"
			"arn:aws:iam::aws:policy/CloudWatchFullAccess": "ANPAIKEABORKUXN6DEAZU"
		},
		"Customer Managed Policies" {
			"arn:aws:iam::012345678901:policy/InsecurePolicy": "ANPABBBBAAAABBBBAAAA"
		},
		"Inline Policies": {
			"InlinePolicyForAdminGroup (attached to arn:aws:iam::012345678901:group/admin)": "0e1bd3995cfe6cfbbac133f1406839e6b415e5b5a412cd148ac78071d82e5b1b"
		}
	},
	"Privilege Escalation": {
		"AWS Managed Policies": {
			"arn:aws:iam::aws:policy/PowerUserAccess": "ANPAJYRXTHIB4FOVS3ZXS"
			"arn:aws:iam::aws:policy/IAMFullAccess": "ANPAI7XKCFMBPM3QQRRVQ"
		},
		"Customer Managed Policies" {},
		"Inline Policies": {
			"OverprivilegedEC2 (attached to arn:aws:iam::012345678901:role/OverprivilegedEC2)": "4331c4e6419d4ca3e11864e79a062881a78bc46804514465a7fdcb9f3471bf50"
		}
	}
}

If we take this approach, then we might even want to use that instead of the table, since that gives you more details about what you actually need to take care of, as a developer.

My friend explained it to me like this: when you use TurboTax, it shows you on the main page all the things you need to do. It's collapsible so you can see that at a high level, you need to do Income, Federal taxes, State/Local Taxes, and Wrapup - but it also shows you the subcategories that you can focus on. Each subcategory will bring you to its own page.

Now, this is a lot less complicated than that obviously, but I think that explains how showing the high level view + task list will help the user a lot. Remember, there will be generally two types of users for this application - (1) security assessors, and (2) developers who just had a bug/user story opened on them to remediate a risk. I think Security assessors are more comfortable with the app as-is, but these improvements to the UI will be the difference maker for the second group, which we shouldn't expect to know IAM very well; they just need a clear task list focused experience.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment