Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?

After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.

I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?

Maybe I can give ec2:* access to resources tagged Cost Center: My Project Name? Is this ok? But I wonder what happens when I change my project name for example?

Alternatively, isit ok to assume its ok to give say ec2:* access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...

like image 371
Jiew Meng Avatar asked Jul 30 '18 14:07

Jiew Meng


People also ask

What permissions are needed for CloudFormation?

For example, if your template is creating an S3 bucket, then you need permissions to create new objects in S3. Your target account always needs full Amazon CloudFormation permissions, which include permissions to create, update, delete, and describe stacks.

What IAM role does CloudFormation use?

A service role is an AWS Identity and Access Management (IAM) role that allows AWS CloudFormation to make calls to resources in a stack on your behalf. You can specify an IAM role that allows AWS CloudFormation to create, update, or delete your stack resources.

How do I check IAM role permissions?

To test a policy that is attached to user group, you can launch the IAM policy simulator directly from the IAM console : In the navigation pane, choose User groups. Choose the name of the group that you want to test a policy on, and then choose the Permissions tab.

When using CloudFormation templates which sections are required?

The Resources section is the only required section. Some sections in a template can be in any order. However, as you build your template, it can be helpful to use the logical order shown in the following list because values in one section might refer to values from a previous section.


1 Answers

In the short term, you can use aws-leastprivilege. But it doesn't support every resource type.

For the long term: as mentioned in this 2019 re:invent talk, CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema. One of the benefits of this is that you'll be able to see the permissions required to perform each operation.

E.g. for AWS::ImageBuilder::Image, the schema says

    "handlers": {
        "create": {
            "permissions": [
                "iam:GetRole",
                "imagebuilder:GetImageRecipe",
                "imagebuilder:GetInfrastructureConfiguration",
                "imagebuilder:GetDistributionConfiguration",
                "imagebuilder:GetImage",
                "imagebuilder:CreateImage",
                "imagebuilder:TagResource"
            ]
        },
        "read": {
            "permissions": [
                "imagebuilder:GetImage"
            ]
        },
        "delete": {
            "permissions": [
                "imagebuilder:GetImage",
                "imagebuilder:DeleteImage",
                "imagebuilder:UnTagResource"
            ]
        },
        "list": {
            "permissions": [
                "imagebuilder:ListImages"
            ]
        }
    }
like image 194
Maria Ines Parnisari Avatar answered Oct 17 '22 00:10

Maria Ines Parnisari