stackoom
  简体   繁体   中英

Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

 原文  2018-07-30 14:26:59       amazon-web-services/ amazon-cloudformation/ amazon-iam

Question

Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?

After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.

I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?

Maybe I can give ec2:* access to resources tagged Cost Center: My Project Name ? Is this ok? But I wonder what happens when I change my project name for example?

Alternatively, isit ok to assume its ok to give say ec2:* access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...

1 answers

solution1
 1  2020-04-28 20:44:18

In the short term, you can use aws-leastprivilege . But it doesn't support every resource type .

For the long term: as mentioned in this 2019 re:invent talk , CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema . One of the benefits of this is that you'll be able to see the permissions required to perform each operation.

Eg for AWS::ImageBuilder::Image , the schema says

    "handlers": {
        "create": {
            "permissions": [
                "iam:GetRole",
                "imagebuilder:GetImageRecipe",
                "imagebuilder:GetInfrastructureConfiguration",
                "imagebuilder:GetDistributionConfiguration",
                "imagebuilder:GetImage",
                "imagebuilder:CreateImage",
                "imagebuilder:TagResource"
            ]
        },
        "read": {
            "permissions": [
                "imagebuilder:GetImage"
            ]
        },
        "delete": {
            "permissions": [
                "imagebuilder:GetImage",
                "imagebuilder:DeleteImage",
                "imagebuilder:UnTagResource"
            ]
        },
        "list": {
            "permissions": [
                "imagebuilder:ListImages"
            ]
        }
    }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How do I identify what IAM permissions are required for AWS CloudFormation? AWS: When setting IAM permissions for users/groups, do I need to give all permissions for services used in a cloud formations template? Can I AutoCreate an IAM role for a Cloudformation stack from the template? How can I create IAM Role Dropdown in Cloudformation Template Parameters AWS Cloudformation Template help for IAM What IAM permissions does a Kinesis Consumer need when using KCL? How to identify CloudFormation template that defined IAM role? Circular dependency in Cloudformation template between IAM resources Can I use existing AWS IAM role to create S3 bucket via Cloudformation template? How to specify lambda function and IAM role name in cloudformation template
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM