You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For a least-access policy to be viable, I am thinking:
Tag instance during creation
Tag security group and address immediately after creation, then do AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress and AssociateAddress.
That way, the policy can allow "anything" for tagged resources only and doesn't have to allow those three actions for "*" resource.
Rationale
This allows a more granular IAM policy that allows full access to all resources created by Blox, without giving full access to everything EC2.
Example
This policy has been adapted from one that ScaleGrid uses for their BYOC (Bring Your Own Cloud) service. It assumes that instances are tagged on creation, and security groups and addresses are not. It may require adjustment for address tags, and/or tags on other resources Blox creates.
Feature
In https://github.com/bloxapp/blox-live/blob/master/app/backend/services/aws/aws.service.ts , create tags for the security group and address, not just the EC2 instance.
In addition, tag the Instance during creation, not after.
For a least-access policy to be viable, I am thinking:
AuthorizeSecurityGroupIngress
,RevokeSecurityGroupIngress
andAssociateAddress
.That way, the policy can allow "anything" for tagged resources only and doesn't have to allow those three actions for "*" resource.
Rationale
This allows a more granular IAM policy that allows full access to all resources created by Blox, without giving full access to everything EC2.
Example
This policy has been adapted from one that ScaleGrid uses for their BYOC (Bring Your Own Cloud) service. It assumes that instances are tagged on creation, and security groups and addresses are not. It may require adjustment for address tags, and/or tags on other resources Blox creates.
The text was updated successfully, but these errors were encountered: