stackoom
  简体   繁体   中英

Least privilege AWS IAM policy for cloudformation

 原文  2017-01-24 15:36:22       amazon-web-services/ amazon-iam/ amazon-cloudformation/ aws-codepipeline

Question

For small CloudFormation and CodePipeline templates we could "try - test" to get least privilege IAM Policy for the roles required.

This usually involves:

  • Starting with a minimal policy
  • Creating the stack
  • It fails with - stack doesn't have rights to someService:someAction
  • Add the service action to the policy
  • update stack and try again

This approach is too time consuming for larger CloudFormation Templates.
How are you developing Least Privilege IAM Policies ?

Ideas:

  • Allow "*" and then scrape cloudtrail for events and build map for listed events to their equivalent roles - then reduce the roles to only those listed in the cloudtrail logs.

  • Access Advisor

1 answers

solution1
 3 ACCPTED  2017-01-24 16:52:58

Grant least privilege is a well-documented IAM Best Practice . The documentation recommends incrementally adding specific permissions, using the Access Advisor tab to determine which services are actually being used by an application (presumably using a broader set of permissions during the testing phase):

It's more secure to start with a minimum set of permissions and grant additional permissions as necessary, rather than starting with permissions that are too lenient and then trying to tighten them later.

Defining the right set of permissions requires some research to determine what is required for the specific task, what actions a particular service supports, and what permissions are required in order to perform those actions.

One feature that can help with this is the Access Advisor tab, which is available on the IAM console Summary page whenever you inspect a user, group, role, or policy. This tab includes information about which services are actually used by a user, group, role, or by anyone using a policy. You can use this information to identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of least privilege. For more information, see Service Last Accessed Data .

This approach is similar to scraping CloudTrail for API events generated by a specific IAM Role/application, though the latter might be more difficult to filter through the entire event stream in order to find the relevant events, while the Access Advisor list is already filtered for you.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Cloudformation IAM Policy with Resource create AWS IAM Policy using cloudformation Cloudformation IAM Policy Setting up Lambda to Create AWS CloudFormation without IAM Policy AWS IAM Policy restrict access to resources based on parent Cloudformation How to use AWS CloudFormation pseudoparameter inside IAM Policy Document AWS CloudFormation IAM policy and SQS policy seems to have similar settings, but not sure why? AWS: How to attach a policy to an IAM user that grants him the privilege to create a verified identity and not access root identities? AWS: IAM Policy for CodePipeline? AWS IAM policy for SQS
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM