Tag AWS security group and address

[yorickdowne]

Feature

In https://github.com/bloxapp/blox-live/blob/master/app/backend/services/aws/aws.service.ts , create tags for the security group and address, not just the EC2 instance.
In addition, tag the Instance during creation, not after.

For a least-access policy to be viable, I am thinking:

• Tag instance during creation
• Tag security group and address immediately after creation, then do AuthorizeSecurityGroupIngress, RevokeSecurityGroupIngress and AssociateAddress.

That way, the policy can allow "anything" for tagged resources only and doesn't have to allow those three actions for "*" resource.

Rationale

This allows a more granular IAM policy that allows full access to all resources created by Blox, without giving full access to everything EC2.

Example

This policy has been adapted from one that ScaleGrid uses for their BYOC (Bring Your Own Cloud) service. It assumes that instances are tagged on creation, and security groups and addresses are not. It may require adjustment for address tags, and/or tags on other resources Blox creates.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ReadOnlyAccessToQueryDetails",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeAddresses",
                "ec2:DescribeVpcs"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateNewInstances",
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": [
                "arn:aws:ec2:*:*:subnet/*",
                "arn:aws:ec2:*:*:instance/*",
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:network-interface/*",
                "arn:aws:ec2:*:*:key-pair/*",
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:image/*"
            ]
        },
        {
            "Sid": "AbilityToAutoTagNewInstancesCreatedByBlox",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:*/*",
            "Condition": {
                "ForAnyValue:StringEquals": {
                    "ec2:CreateAction": [
                        "RunInstances"
                    ]
                },
                "ForAnyValue:StringLike": {
                    "aws:TagKeys": [
                        "kv-version",
                        "Name",
                        "org-id"
                    ]
                }
            }
        },
        {
            "Sid": "FullAccessOnResourcesTaggedAsCreatedByBlox",
            "Effect": "Allow",
            "Action": [
                "ec2:*"
            ],
            "Resource": "arn:aws:ec2:*:*:*/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/Name": "blox-staking"
                }
            }
        },
        {
            "Sid": "CreateNewSecurityGroupOrAddress",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup",
                "ec2:AllocateAddress"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateTagsOnAddressesOrGroupsSinceTheyCannotBeAutoTaggedOnCreation",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:security-group/*",
                "arn:aws:ec2:*:*:eip/*"
            ]
        },
        {
            "Sid": "KeyPairActionsWithDeleteOptional",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeKeyPairs",
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair"
            ],
            "Resource": "*"
        }
    ]
}