https://github.com/awslabs/avp-local-agent

https://github.com/awslabs/avp-local-agent

Science Score: 26.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (10.0%) to scientific vocabulary
Last synced: 10 months ago · JSON representation

Repository

Basic Info
  • Host: GitHub
  • Owner: awslabs
  • License: apache-2.0
  • Language: Rust
  • Default Branch: main
  • Size: 181 KB
Statistics
  • Stars: 18
  • Watchers: 8
  • Forks: 3
  • Open Issues: 3
  • Releases: 2
Created over 2 years ago · Last pushed about 1 year ago
Metadata Files
Readme Changelog Contributing License Code of conduct Security

README.md

Amazon Verified Permissions (avp) Local Agent

This crate is experimental.

The avp-local-agent provides Amazon Verified Permissions policy and entity providers. These providers are used to build a simple::Authorizer.

The avp-local-agent will expand in capabilities in future releases.

For more information about the cedar local agent, please take a look at cedar-local-agent.

For more information about the Cedar language/project, please take a look at cedarpolicy.com.

For more information about Amazon Verified Permissions, please take a look at verified-permissions.

Usage

Amazon Verified Permissions agent can be used in your application by depending on the avp-local-agent crate.

Add avp-local-agent as a dependency in your Cargo.toml file. For example:

[dependencies] avp-local-agent = "2"

Note: AWS dependencies required for specifying the region and optionally building a credentials' provider. See Managing AWS Credentials below for more details on how to configure AWS credentials.

Managing AWS Credentials

The avp-local-agent invokes Amazon Verified Permissions APIs through an AWS SDK client in order to fetch remote policy data and refresh local caches. For local development of the agent, the recommended practice for managing AWS credentials for the AWS SDK client is to store these credentials locally on the machine where the tests will be invoked. For example,

Place AWS credentials in, ~/.aws/credentials

[default] aws_access_key_id=<aws access key> aws_secret_access_key=<aws secret access key>

Once credentials are stored locally in ~/.aws/credentials see the Quick Start below on how this all fits together. In a nutshell here is how the credentials are used to refresh remote policies from AVP,

Build an Amazon Verified Permissions client with a helper:

rust let client = verified_permissions_default_credentials(Region::new("us-east-1")).await;

This helper will read the AWS sigV4 credentials from the ~/.aws/credentials file by creating a SharedCredentialsProvider. Note that the SharedCredentialsProvider is instantiated with a DefaultCredentialsChain.

rust let creds = SharedCredentialsProvider::new( DefaultCredentialsChain::builder() .region(region.clone()) .build() .await, );

Overall, credential providers can be used to search for your AWS credentials locally in various locations, with resolution orders:

  1. Environment variables: EnvironmentVariableCredentialsProvider
  2. Shared config (~/.aws/config, ~/.aws/credentials): SharedConfigCredentialsProvider
  3. Web Identity Tokens
  4. ECS (IAM Roles for Tasks) & General HTTP credentials: ecs
  5. EC2 IMDSv2

If AWS credentials are stored in environment variables say if the agent deployed and running on an EC2 instance, use An EnvironmentVariableCredentialsProvider instead of a SharedConfigCredentialsProvider.

rust let creds = SharedCredentialsProvider::new( EnvironmentVariableCredentialsProvider::new() ); let client = verified_permissions_with_credentials(Region::new("us-east-1"), creds).await;

Any credentials provider can be passed in, or you can make your own credentials provider.

For more information about specifying credentials see the following AWS Documentation:

Rust SDK - Specifying Your Credentials and Default Region

Recommended IAM Policy

For security purposes, we recommend that you create a user with the least privileged IAM policy for the local agent to connect with. Here is an example:

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AVPLocalAgentPolicy", "Effect": "Allow", "Action": [ "verifiedpermissions:ListPolicies", "verifiedpermissions:ListPolicyTemplates", "verifiedpermissions:GetPolicyTemplate", "verifiedpermissions:GetPolicy", "verifiedpermissions:GetSchema" ], "Resource": "arn:aws:verifiedpermissions::<account_id>:policy-store/<policy store id>" } ] }

Instructions on how to create an assume IAM policies are available here

Quick Start

Build an authorizer that uses an existing Amazon Verified Permissions policy store.

Build an Amazon Verified Permissions client: rust let client = verified_permissions_default_credentials(Region::new("us-east-1")).await;

Build a policy set provider:

rust let policy_set_provider = PolicySetProvider::from_client("policy_store_id".to_string(), client.clone()) .unwrap();

Build an entity provider (uses optional policy store schema to generate action entities):

rust let entity_provider = EntityProvider::from_client("policy_store_id".to_string(), client.clone()) .unwrap();

Build the authorizer:

rust let authorizer: Authorizer<PolicySetProvider, EntityProvider> = Authorizer::new( AuthorizerConfigBuilder::default() .entity_provider(Arc::new(entity_provider)) .policy_set_provider(Arc::new(policy_set_provider)) .build() .unwrap() );

Evaluate a decision:

rust assert_eq!( authorizer .is_authorized(&Request::new( Some(format!("User::\"Cedar\"").parse().unwrap()), Some(format!("Action::\"read\"").parse().unwrap()), Some(format!("Box::\"3\"").parse().unwrap()), Context::empty(), ), &Entities::empty()) .await .unwrap() .decision(), Decision::Deny );

Updating policy and entity data asynchronously

See cedar-local-agent the same pattern applies.

Logging

See cedar-local-agent the same pattern applies.

Running integration tests

Integration tests require having valid AWS credentials on the default credential provider chain. See documentation to learn about this chain and how to properly configure your credentials to run the integration tests.

After credentials have been set run:

cargo test --features integration-tests

Note: The integration tests create Amazon Verified Permissions resources within the account and region specified us-east-1.

General Security Notes

The following is a high level description of some security concerns to keep in mind when using the avp-local-agent to enable local evaluation of Cedar policies stored in Amazon Verified Permissions Policy Stores.

Trusted Computing Environment

The avp-local-agent is a mere library that customers can wrap in say an HTTP server and deploy onto a fleet of hosts. It is, therefore, left to users to take any and all necessary precautions to ensure those security concerns beyond what the avp-local-agent is capable of enforcing are met. This includes:

  1. Ensuring that AWS Credentials are not stored in any source code that wraps the agent. See Managing AWS Credentials
  2. Filesystem permissions for on-disk locations of OCSF logs follow least-privilege permissions, see OCSF Log directory permissions.
  3. The avp-local-agent is configured securely, see Secure Agent Configuration.

OCSF Log directory permissions

The local authorizer provided in this crate will require read and write access to the directory where it will write OCFS logs to.

Suppose we have the following directory structure:

``` authz-agent/ |- authz_daemon (executable)

ocsf-log-dir/ |- authorization.log.2023-11-15-21-02 ... ```

Now suppose you have an OS user to execute the authz_daemon called authz-daemon which should be in a group called "log-reader".

And make authz-daemon user the owner of ocsf-log-dir folder with:

bash $ chown -R authz-daemon:log-reader ocsf-log-dir

We will now make ocsf-log-dir readable and writable by the owner but not writable to anyone else. We allow anyone in the log-reader group to read the contents of the folder but not write to it.

bash $ chmod u=wrx,g=rx,o= ocsf-log-dir

NOTE: We need to allow execute permissions in order to access files in the directory.

Any agent that needs to access the logs, such as the AWS Cloudwatch Agent should run as a user in the log-reader group so that they will have the proper access (see documentation for how to configure the Cloudwatch Agent to run as a certain user).

Secure Agent Configuration

Users of the agent should ensure that they are following the instructions from the Managing AWS Credentials section of this README, as well as using an IAM role with the least privilege possible. We provide an example of a least privilege IAM role in the Recommended IAM Policy of this document.

As explained in the cedar-local-agent documentation, when setting up asynchronous updates of the policy set from AVP, we advise the user to make use of the existing signalers available in the cedar-local-agent crate:

  1. clock_ticker_task
  2. file_inspector_task

and in particular, as is explained in the cedar-local-agent, users should have a RefreshRate of at least 15 seconds, since any more risks overwhelming AVP and could lead to throttling behaviour. For example:

rust let (clock_ticker_signal_thread, receiver) = clock_ticker_task(RefreshRate::FifteenSeconds);

License

This project is licensed under the Apache-2.0 License.

Owner

  • Name: Amazon Web Services - Labs
  • Login: awslabs
  • Kind: organization
  • Location: Seattle, WA

AWS Labs

GitHub Events

Total
  • Create event: 5
  • Release event: 1
  • Issues event: 2
  • Watch event: 3
  • Delete event: 5
  • Issue comment event: 14
  • Push event: 12
  • Pull request review comment event: 28
  • Pull request review event: 41
  • Pull request event: 14
  • Fork event: 2
Last Year
  • Create event: 5
  • Release event: 1
  • Issues event: 2
  • Watch event: 3
  • Delete event: 5
  • Issue comment event: 14
  • Push event: 12
  • Pull request review comment event: 28
  • Pull request review event: 41
  • Pull request event: 14
  • Fork event: 2

Issues and Pull Requests

Last synced: 10 months ago

All Time
  • Total issues: 14
  • Total pull requests: 46
  • Average time to close issues: 18 days
  • Average time to close pull requests: 13 days
  • Total issue authors: 5
  • Total pull request authors: 13
  • Average comments per issue: 0.71
  • Average comments per pull request: 1.39
  • Merged pull requests: 41
  • Bot issues: 0
  • Bot pull requests: 10
Past Year
  • Issues: 1
  • Pull requests: 15
  • Average time to close issues: 2 months
  • Average time to close pull requests: about 1 month
  • Issue authors: 1
  • Pull request authors: 4
  • Average comments per issue: 1.0
  • Average comments per pull request: 2.07
  • Merged pull requests: 12
  • Bot issues: 0
  • Bot pull requests: 6
Top Authors
Issue Authors
  • camarcio (3)
  • ShiromMakkad (3)
  • eidelmanjonathan (2)
  • ericox (2)
  • GurvirDehal (1)
Pull Request Authors
  • dependabot[bot] (14)
  • ShiromMakkad (11)
  • camarcio (5)
  • eidelmanjonathan (4)
  • bassmanitram (4)
  • jiaqiwl (3)
  • GurvirDehal (3)
  • l-kli (2)
  • ericox (2)
  • maxzcxu (1)
  • qingsart (1)
  • alannulli (1)
  • foosiee (1)
Top Labels
Issue Labels
documentation (2) bug (1)
Pull Request Labels
dependencies (14) rust (4) documentation (2) github_actions (2) bug (1)

Packages

  • Total packages: 1
  • Total downloads:
    • cargo 3,724 total
  • Total dependent packages: 0
  • Total dependent repositories: 0
  • Total versions: 3
  • Total maintainers: 2
crates.io: avp-local-agent

Amazon Verified Permissions policy and entity providers. These providers are used to build a `cedar-local-agent` simple::Authorizer.

  • Versions: 3
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 3,724 Total
Rankings
Dependent repos count: 30.7%
Dependent packages count: 36.1%
Average: 55.0%
Downloads: 98.1%
Maintainers (2)
Last synced: 11 months ago

Dependencies

.github/workflows/build_and_test.yml actions
  • EmbarkStudios/cargo-deny-action v1 composite
  • actions/checkout v4 composite
  • actions/upload-artifact v3.1.3 composite
.github/workflows/ci.yml actions
.github/workflows/comment_pr.yml actions
  • Nef10/lcov-reporter-action v0.4.0 composite
  • dawidd6/action-download-artifact v2 composite
.github/workflows/nightly_build.yml actions
.github/workflows/semantic_version_check.yml actions
  • actions/checkout v4 composite
Cargo.lock cargo
  • 274 dependencies
Cargo.toml cargo
  • aws-smithy-async 1.0.2 development
  • aws-smithy-client 0.60.0 development
  • aws-smithy-http 0.60.0 development
  • aws-smithy-runtime 1.0.2 development
  • aws-smithy-types 1.0.2 development
  • aws-types 1.0.1 development
  • serial_test 2.0.0 development
  • async-trait 0.1.71
  • aws-config 1.0.1
  • aws-credential-types 1.0.1
  • aws-sdk-verifiedpermissions 1.3.0
  • aws-smithy-async 1.0.2
  • aws-smithy-http 0.60.0
  • aws-smithy-runtime-api 1.0.2
  • aws-types 1.0.1
  • backoff 0.4.0
  • cedar-local-agent 1.0
  • cedar-policy 2.4.2
  • cedar-policy-core 2.4.2
  • cedar-policy-formatter 2.4.2
  • cedar-policy-validator 2.4.2
  • chrono 0.4.26
  • derive_builder 0.12.0
  • futures 0.3.28
  • once_cell 1.18.0
  • rand 0.8.5
  • serde 1.0.166
  • serde_json 1.0.100
  • serde_repr 0.1.16
  • thiserror 1.0.41
  • tokio 1.0
  • tracing 0.1.37
  • uuid 1.4.1