Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Post an Article
Welcome To Ask or Share your Answers For Others

Categories

amazon web services - Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

0 votes
679 views
in Technique[技术] by (71.8m points)

amazon web services - Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?

After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.

I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?

Maybe I can give ec2:* access to resources tagged Cost Center: My Project Name? Is this ok? But I wonder what happens when I change my project name for example?

Alternatively, isit ok to assume its ok to give say ec2:* access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

In the short term, you can use aws-leastprivilege. But it doesn't support every resource type.

For the long term: as mentioned in this 2019 re:invent talk, CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema. One of the benefits of this is that you'll be able to see the permissions required to perform each operation.

E.g. for AWS::ImageBuilder::Image, the schema says

    "handlers": {
        "create": {
            "permissions": [
                "iam:GetRole",
                "imagebuilder:GetImageRecipe",
                "imagebuilder:GetInfrastructureConfiguration",
                "imagebuilder:GetDistributionConfiguration",
                "imagebuilder:GetImage",
                "imagebuilder:CreateImage",
                "imagebuilder:TagResource"
            ]
        },
        "read": {
            "permissions": [
                "imagebuilder:GetImage"
            ]
        },
        "delete": {
            "permissions": [
                "imagebuilder:GetImage",
                "imagebuilder:DeleteImage",
                "imagebuilder:UnTagResource"
            ]
        },
        "list": {
            "permissions": [
                "imagebuilder:ListImages"
            ]
        }
    }

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

Just Browsing Browsing

1.4m articles

1.4m replys

5 comments

57.0k users

Most popular tags

Snow Theme by Q2A Market
Powered by Question2Answer
...