New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor IAM permissions in CDO CloudFormation template #27413
Conversation
Statement: | ||
- Effect: Allow | ||
Action: 'sts:AssumeRole' | ||
Principal: {Service: ec2.amazonaws.com} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I might add an erb-macro for the standard AssumeRolePolicyDocument
boilerplate here, something like <%=service_role 'ec2' %>
could replace these five lines for most aws-service-role cases.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
9da6ed2
to
491cd5e
Compare
The current PR only adds resources to the
Migration plan:
|
d7f4cbd
to
7d23a91
Compare
This is working well in my manual tests at this point, so I'm going to start rolling out the added resources to the application stacks now. |
7d23a91
to
73e0ce0
Compare
- Use shared CloudFormation Service Role for all stack permissions - Require permissions boundary for all CloudFormation IAM Role actions, to allow stack-managed IAM resources with bounded permissions. - Add fine-grained, resource-specific IAM resources to stack template [ci skip]
73e0ce0
to
651f6ef
Compare
This PR refactors various existing admin-managed IAM-permissions resources (
AWS::IAM::Role
andAWS::IAM::InstanceProfile
) to stack-specific IAM resources, constrained to more fine-grained resources specific to the stack where they are located.Previously,
AWS::IAM
resources could not exist in application stacks because permissions toiam:*
APIs were restricted to theroot
account and 'admin' role (to prevent privilege-escalation from non-admin logins). This PR creates a CloudFormation Service Role granting CloudFormation just enoughiam
permissions to manage a few key IAM resources (AWS::IAM::Role
,AWS::IAM::ManagedPolicy
,AWS::IAM::InstanceProfile
) within stacks. Additionally, aCondition
requires allAWS::IAM::Role
s to include aPermissionsBoundary
, which prevents privilege-escalation through creating/assumingRole
resources. (See blog post for more details on how the permissions-boundary feature works.)This will provide better security (more restricted IAM permissions on
frontend
anddaemon
EC2 instance profiles), and simplifies permissions management moving forward (since we can createAWS::IAM
resources alongside the service resources in application-stack templates).Allowing for these fine-grained permissions within each application stack is also a prerequisite to integrating Secrets Manager service into our application.