diff --git a/notes/policies.md b/notes/policies.md new file mode 100644 index 0000000..1210de7 --- /dev/null +++ b/notes/policies.md @@ -0,0 +1,412 @@ +# Policies + +Specifically talking about IAM policies necessary for enabling OIDC between GitHub runners and AWS. +There is an excellent tutorial on how to get started with this in the AWS credential action's repo: +https://github.com/aws-actions/configure-aws-credentials?tab=readme-ov-file#oidc. + +One thing they can't cover there is what permissions to give, because they are application specific. +I have been meaning to add the policies you should set here somewhere, so I am dumping it in this note. + +I split my policies into two parts: access and server. +I am not sure if these are exactly least priviledge, but pretty close, + I suggest monitoring the access and reducing as seems possible. + +Please remember that these are just my notes, make good decisions and evaluate your security concerns. + +## Access + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VPC", + "Effect": "Allow", + "Action": [ + "ec2:CreateVpc", + "ec2:DeleteVpc", + "ec2:DescribeVpcs", + "ec2:DescribeVpcAttribute", + "ec2:ModifyVpcAttribute", + "ec2:MoveAddressToVpc", + "ec2:DisassociateVpcCidrBlock", + "ec2:AssociateVpcCidrBlock", + "ec2:CreateDefaultVpc", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "InternetGateway", + "Effect": "Allow", + "Action": [ + "ec2:CreateInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DetachInternetGateway", + "ec2:DescribeInternetGateways", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "Route", + "Effect": "Allow", + "Action": [ + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:CreateRouteTable", + "ec2:DeleteRouteTable", + "ec2:DescribeRouteTables", + "ec2:DisassociateRouteTable", + "ec2:ReplaceRoute", + "ec2:ReplaceRouteTableAssociation", + "ec2:AssociateRouteTable", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "Subnet", + "Effect": "Allow", + "Action": [ + "ec2:CreateSubnet", + "ec2:AssociateSubnetCidrBlock", + "ec2:CreateSubnetCidrReservation", + "ec2:DeleteSubnetCidrReservation", + "ec2:DisassociateSubnetCidrBlock", + "ec2:GetSubnetCidrReservations", + "ec2:ModifySubnetAttribute", + "ec2:CreateDefaultSubnet", + "ec2:DeleteSubnet", + "ec2:DescribeSubnets", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags", + "ec2:DescribeAvailabilityZones" + ], + "Resource": "*" + }, + { + "Sid": "SecurityGroup", + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:DescribeSecurityGroups", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DescribeSecurityGroupReferences", + "ec2:ModifySecurityGroupRules", + "ec2:DescribeSecurityGroupRules", + "ec2:RevokeSecurityGroupIngress", + "ec2:RevokeSecurityGroupEgress", + "ec2:UpdateSecurityGroupRuleDescriptionsEgress", + "ec2:UpdateSecurityGroupRuleDescriptionsIngress", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "SshKeyPair", + "Effect": "Allow", + "Action": [ + "ec2:CreateKeyPair", + "ec2:DeleteKeyPair", + "ec2:DescribeKeyPairs", + "ec2:ImportKeyPair", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "Loadbalancing", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:CreateLoadBalancer", + "ec2:CreateSecurityGroup", + "ec2:DescribeAccountAttributes", + "ec2:DescribeInternetGateways", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "elasticloadbalancing:AttachLoadBalancerToSubnets", + "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "ec2:DescribeClassicLinkInstances", + "ec2:DescribeInstances", + "elasticloadbalancing:DescribeInstanceHealth", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "ec2:DescribeVpcClassicLink", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeListenerCertificates", + "elasticloadbalancing:AddListenerCertificates", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteRule", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DeregisterTargets", + "elasticloadbalancing:ModifyListener", + "elasticloadbalancing:ModifyRule", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetRulePriorities", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerPolicy", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancerPolicy", + "elasticloadbalancing:DetachLoadBalancerFromSubnets", + "elasticloadbalancing:SetLoadBalancerListenerSSLCertificate", + "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", + "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" + ], + "Resource": "*" + } + ] +} +``` + +## Server + +``` +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "ManageEC2Instances", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstances", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeInstanceCreditSpecifications", + "ec2:DescribeInstanceTypes", + "ec2:GetInstanceTypesFromInstanceRequirements", + "ec2:ImportInstance", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyInstanceMetadataOptions", + "ec2:RebootInstances", + "ec2:ReportInstanceStatus", + "ec2:ResetInstanceAttribute", + "ec2:RunInstances", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "AddressAndInterface", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAddresses", + "ec2:DescribeAddressesAttribute", + "ec2:DescribeAddressTransfers", + "ec2:DescribeMovingAddresses", + "ec2:DisableAddressTransfer", + "ec2:DisassociateAddress", + "ec2:EnableAddressTransfer", + "ec2:ModifyAddressAttribute", + "ec2:MoveAddressToVpc", + "ec2:ReleaseAddress", + "ec2:ResetAddressAttribute", + "ec2:UnassignIpv6Addresses", + "ec2:UnassignPrivateIpAddresses", + "ec2:AcceptAddressTransfer", + "ec2:AllocateAddress", + "ec2:AssignIpv6Addresses", + "ec2:AssignPrivateIpAddresses", + "ec2:AssociateAddress", + "ec2:AttachNetworkInterface", + "ec2:CreateNetworkInterface", + "ec2:CreateNetworkInterfacePermission", + "ec2:DeleteNetworkInterface", + "ec2:DeleteNetworkInterfacePermission", + "ec2:DescribeNetworkInterfaceAttribute", + "ec2:DescribeNetworkInterfacePermissions", + "ec2:DescribeNetworkInterfaces", + "ec2:DetachNetworkInterface", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:ResetNetworkInterfaceAttribute", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "Image", + "Effect": "Allow", + "Action": [ + "ec2:CopyImage", + "ec2:CreateImage", + "ec2:CreateRestoreImageTask", + "ec2:CreateStoreImageTask", + "ec2:DeregisterImage", + "ec2:DescribeExportImageTasks", + "ec2:DescribeImageAttribute", + "ec2:DescribeImages", + "ec2:DescribeImportImageTasks", + "ec2:DescribeStoreImageTasks", + "ec2:DisableImageDeprecation", + "ec2:EnableImageDeprecation", + "ec2:ExportImage", + "ec2:ImportImage", + "ec2:ListImagesInRecycleBin", + "ec2:ModifyImageAttribute", + "ec2:RegisterImage", + "ec2:ResetImageAttribute", + "ec2:RestoreImageFromRecycleBin", + "ec2:CancelImageLaunchPermission", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "ManageVolumesAndSnapshots", + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:CreateReplaceRootVolumeTask", + "ec2:CreateVolume", + "ec2:DeleteVolume", + "ec2:DescribeReplaceRootVolumeTasks", + "ec2:DescribeVolumeAttribute", + "ec2:DescribeVolumes", + "ec2:DescribeVolumesModifications", + "ec2:DescribeVolumeStatus", + "ec2:DetachVolume", + "ec2:EnableVolumeIO", + "ec2:ImportVolume", + "ec2:ModifyVolume", + "ec2:ModifyVolumeAttribute", + "ec2:CopySnapshot", + "ec2:CreateSnapshot", + "ec2:CreateSnapshots", + "ec2:DeleteSnapshot", + "ec2:DescribeImportSnapshotTasks", + "ec2:DescribeSnapshotAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeSnapshotTierStatus", + "ec2:ImportSnapshot", + "ec2:ListSnapshotsInRecycleBin", + "ec2:ModifySnapshotAttribute", + "ec2:ModifySnapshotTier", + "ec2:ResetSnapshotAttribute", + "ec2:RestoreSnapshotFromRecycleBin", + "ec2:RestoreSnapshotTier", + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags" + ], + "Resource": "*" + }, + { + "Sid": "ManageHostnames", + "Effect": "Allow", + "Action": [ + "route53Domains:EnableDomainAutoRenew", + "route53Domains:GetDomainDetail", + "route53Domains:ListDomains", + "route53Domains:ListOperations", + "route53Domains:PushDomain", + "route53Domains:RegisterDomain", + "route53Domains:RenewDomain", + "route53Domains:UpdateDomainContact", + "route53Domains:UpdateDomainContactPrivacy", + "route53Domains:UpdateDomainNameservers", + "route53Resolver:AssociateResolverEndpointIpAddress", + "route53Resolver:UpdateResolverConfig", + "route53:AssociateVPCWithHostedZone", + "route53:CreateHostedZone", + "route53:DeleteHostedZone", + "route53:DisassociateVPCFromHostedZone", + "route53:UpdateHostedZoneComment", + "route53:GetHostedZone", + "route53:GetHostedZoneCount", + "route53:GetHostedZoneLimit", + "route53:ListHostedZones", + "route53:ListHostedZonesByName", + "route53:ListHostedZonesByVPC", + "route53:ListResourceRecordSets", + "route53:ChangeResourceRecordSets", + "route53Resolver:TagResource", + "route53Resolver:UntagResource", + "route53Domains:UpdateTagsForDomain", + "route53Domains:ListTagsForDomain", + "route53Domains:DeleteTagsForDomain", + "route53:ListTagsForResource", + "route53:ChangeTagsForResource", + "route53:ListTagsForResource", + "route53:ListTagsForResources" + ], + "Resource": "*" + }, + { + "Sid": "S3ForBackup", + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:ListBucket", + "s3:ListBucketVersions", + "s3:PutBucketTagging", + "s3:PutBucketVersioning", + "s3:DeleteObject", + "s3:DeleteObjectTagging", + "s3:GetObject", + "s3:GetObjectAcl", + "s3:GetObjectAttributes", + "s3:GetObjectRetention", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:PutObjectRetention", + "s3:PutObjectTagging", + "s3:RestoreObject", + "s3:GetBucketTagging" + ], + "Resource": "*" + } + ] +} +```