Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

IAM Permissions for a CI/CD Pipeline

Tags:

amazon-web-services

amazon-iam

I want to set up my deployment pipelines so that they adhere to the principle of least privilege when they deploy assets to AWS. That means I don't want to give the deployment policy admin access or "*:*" privileges.

The problem is that every time I create a new pipeline I have to go through a trial and error process:

  • Deploy
  • Get a failure due to missing IAM permissions
  • Update IAM Policy to add the missing permission
  • Repeat

I've searched for resources to help with this, but the general approach seems to be to overprovision the IAM policy, which I think is a really bad approach.

Are there any tools which you can use which will analyse a CloudFormation template and generate a JSON document of the required deployment policy? (Or for Serverless Framework or CDK?)

like image 428
stang Avatar asked Jun 17 '20 12:06

stang

People also ask

What are permission boundaries for IAM entities?

A permissions boundary is an IAM feature that helps your centralized cloud IAM teams to safely empower your application developers to create new IAM roles and policies in Amazon Web Services (AWS).

When granting IAM permissions which is best?

Apply least-privilege permissions When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions.

How are permissions assigned to an IAM group?

IAM user groupsAny user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that user group.

1 Answers

Great question, unfortunately, the answer is slightly tricky.

You're running up against a bit of a chicken-and-egg problem with all Infrastructure As Code providers (Serverless, CDK, CloudFormation, Terraform, etc).

Keep in mind that the IAM user which deploys your application is not the same as the IAM role that your application (Lambda) runs under.

This means that if you wanted to strictly limit the permissions of your deploy user so that it could only deploy specific resources, that's fine - however as you noted, you'll need to expand those permissions every time you want to deploy new resources. Notably, if you automate this process such that the role permissions are expanded every time you add new infrastructure - you've effectively granted your deploy user administrative access.

This is why most people use an over-provisioned deploy user in order to deploy their applications. It's not considered a bad approach for two reasons:

  1. Your application does not use this role when executing, so if you had some major vulnerability in your lambda that allowed for remote code execution, the attacker couldn't compromise your entire AWS account
  2. You're relying on your IAC provider to ensure that you do not create unneeded infrastructure. (IE: you and your IAC provider have the same level of access)

As long as the Lambda Execution role has a strict IAM policy, using an overprovisioned deployment user is fine.

like image 128
Aaron Stuyvenberg Avatar answered Oct 13 '22 19:10

Aaron Stuyvenberg
Sign in to Comment

Related questions

Redirect to built-in sign-in page for AWS Cognito user pool
Regex filtering of messages in SNS
Read Headers from Data Source in an AWS Glue Job
aws eb cli Windows get version error on colorama
Serverless custom domain
How to retrieve the current state of a running Step Functions in AWS
AWS Cloudwatch setup with Winston
Is there a way to "npm install" from AWS S3?
aws cognito pool with multiple sign in options
MongoDB: installation error on amazon linux 2
AWS ELB/ALB http/2 pass thru to EC2 instance via http/2 (not http/1.1)
Display Date as Local Timzone, not UTC in AWS Quicksight
HTTP 407 Proxy Authentication Required while accessing Amazon S3
POST file to AWS Mediastore with Python 3 without SDK, without CLI
How to send signed HTTP request from AWS Lambda to AppSync GraphQL?
How to view AWS Glue Spark UI
How to limit concurrency of a step in step functions
Why does terraform fail with "An argument named "flow_log_destination_type" is not expected here"?
Access Elastic Beanstalk environment properties in NGINX configs running on AWS Linux 2
AWS Amplify CLI CloudFront S3 Restrictions

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!