I want to set up my deployment pipelines so that they adhere to the principle of least privilege when they deploy assets to AWS. That means I don't want to give the deployment policy admin access or "*:*" privileges.
The problem is that every time I create a new pipeline I have to go through a trial and error process:
I've searched for resources to help with this, but the general approach seems to be to overprovision the IAM policy, which I think is a really bad approach.
Are there any tools which you can use which will analyse a CloudFormation template and generate a JSON document of the required deployment policy? (Or for Serverless Framework or CDK?)
A permissions boundary is an IAM feature that helps your centralized cloud IAM teams to safely empower your application developers to create new IAM roles and policies in Amazon Web Services (AWS).
Apply least-privilege permissions When you set permissions with IAM policies, grant only the permissions required to perform a task. You do this by defining the actions that can be taken on specific resources under specific conditions, also known as least-privilege permissions.
IAM user groupsAny user in that user group automatically has the permissions that are assigned to the user group. If a new user joins your organization and should have administrator privileges, you can assign the appropriate permissions by adding the user to that user group.
Great question, unfortunately, the answer is slightly tricky.
You're running up against a bit of a chicken-and-egg problem with all Infrastructure As Code providers (Serverless, CDK, CloudFormation, Terraform, etc).
Keep in mind that the IAM user which deploys your application is not the same as the IAM role that your application (Lambda) runs under.
This means that if you wanted to strictly limit the permissions of your deploy user so that it could only deploy specific resources, that's fine - however as you noted, you'll need to expand those permissions every time you want to deploy new resources. Notably, if you automate this process such that the role permissions are expanded every time you add new infrastructure - you've effectively granted your deploy user administrative access.
This is why most people use an over-provisioned deploy user in order to deploy their applications. It's not considered a bad approach for two reasons:
As long as the Lambda Execution role has a strict IAM policy, using an overprovisioned deployment user is fine.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With