Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

IAM Permissions for a CI/CD Pipeline

I want to set up my deployment pipelines so that they adhere to the principle of least privilege when they deploy assets to AWS. That means I don't want to give the deployment policy admin access or "*:*" privileges.

The problem is that every time I create a new pipeline I have to go through a trial and error process:

  • Deploy
  • Get a failure due to missing IAM permissions
  • Update IAM Policy to add the missing permission
  • Repeat

I've searched for resources to help with this, but the general approach seems to be to overprovision the IAM policy, which I think is a really bad approach.

Are there any tools which you can use which will analyse a CloudFormation template and generate a JSON document of the required deployment policy? (Or for Serverless Framework or CDK?)

like image 428
stang Avatar asked Jun 17 '20 12:06

stang


People also ask

What are permission boundaries for IAM entities?

A permissions boundary is an IAM feature that helps your centralized cloud IAM teams to safely empower your application developers to create new IAM roles and policies in Amazon Web Services (AWS).

When granting IAM permissions which is best?

Apply least-privilege permissions When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions.

How are permissions assigned to an IAM group?

IAM user groupsAny user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that user group.


1 Answers

Great question, unfortunately, the answer is slightly tricky.

You're running up against a bit of a chicken-and-egg problem with all Infrastructure As Code providers (Serverless, CDK, CloudFormation, Terraform, etc).

Keep in mind that the IAM user which deploys your application is not the same as the IAM role that your application (Lambda) runs under.

This means that if you wanted to strictly limit the permissions of your deploy user so that it could only deploy specific resources, that's fine - however as you noted, you'll need to expand those permissions every time you want to deploy new resources. Notably, if you automate this process such that the role permissions are expanded every time you add new infrastructure - you've effectively granted your deploy user administrative access.

This is why most people use an over-provisioned deploy user in order to deploy their applications. It's not considered a bad approach for two reasons:

  1. Your application does not use this role when executing, so if you had some major vulnerability in your lambda that allowed for remote code execution, the attacker couldn't compromise your entire AWS account
  2. You're relying on your IAC provider to ensure that you do not create unneeded infrastructure. (IE: you and your IAC provider have the same level of access)

As long as the Lambda Execution role has a strict IAM policy, using an overprovisioned deployment user is fine.

like image 128
Aaron Stuyvenberg Avatar answered Oct 13 '22 19:10

Aaron Stuyvenberg