AWS权限优化工具自动推荐未使用权限移除方案

权限优化实践案例

假设某个IAM角色"MyRole"附加了以下策略：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:AddPermission",
        "lambda:GetFunctionConfiguration",
        "lambda:UpdateFunctionConfiguration",
        "lambda:UpdateFunctionCode",
        "lambda:CreateFunction",
        "lambda:DeleteFunction",
        "lambda:ListVersionsByFunction",
        "lambda:GetFunction",
        "lambda:Invoke*"
      ],
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-lambda"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

未使用权限识别

访问分析器检测后生成未使用权限报告：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42


[
  {
    "serviceNamespace": "lambda",
    "actions": [
      "UpdateFunctionCode",
      "GetFunction",
      "ListVersionsByFunction",
      "UpdateFunctionConfiguration",
      "CreateFunction",
      "DeleteFunction",
      "GetFunctionConfiguration",
      "AddPermission"
    ]
  },
  {
    "serviceNamespace": "s3",
    "actions": [
      "GetBucketLocation",
      "GetBucketWebsite",
      "GetBucketPolicyStatus",
      "GetAccelerateConfiguration",
      "GetBucketPolicy",
      "GetBucketRequestPayment",
      "GetReplicationConfiguration",
      "GetBucketLogging",
      "GetBucketObjectLockConfiguration",
      "GetBucketNotification",
      "GetLifecycleConfiguration",
      "GetAnalyticsConfiguration",
      "GetBucketCORS",
      "GetInventoryConfiguration",
      "GetBucketPublicAccessBlock",
      "GetEncryptionConfiguration",
      "GetBucketAcl",
      "GetBucketVersioning",
      "GetBucketOwnershipControls",
      "GetBucketTagging",
      "GetIntelligentTieringConfiguration",
      "GetMetricsConfiguration"
    ]
  }
]

自动化策略推荐

系统生成优化后的策略：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26


{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "lambda:Invoke*"
      ],
      "Resource": "arn:aws:lambda:us-east-1:123456789012:function:my-lambda"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetAccess*",
        "s3:GetAccountPublicAccessBlock",
        "s3:GetDataAccess",
        "s3:GetJobTagging",
        "s3:GetMulti*",
        "s3:GetObject*",
        "s3:GetStorage*",
        "s3:List*"
      ],
      "Resource": "*"
    }
  ]
}

技术实现原理

最小通用泛化原则

采用数学上的"最小通用泛化"原理，确保修改后的策略在移除未使用权限的同时，保持最小的权限范围。

前缀树数据结构

构建前缀树（trie）数据结构来处理包含通配符的操作：

节点代表操作前缀
绿色节点表示安全前缀（不包含未使用操作）
橙色节点表示不安全前缀（包含未使用操作）

通配符优化算法

通过遍历前缀树，找到最短的安全前缀字符串：

识别自身安全但父节点不安全的节点
使用通配符合并多个操作
生成简洁且安全的策略语句

该技术方案确保了权限推荐的准确性和策略的可维护性，帮助用户实现最小权限原则的最佳实践。