eli-385 finessing github permissions#283
Conversation
…emove-wildcard-resource-and-passrole-permissions
| effect = "Allow" | ||
|
|
||
| actions = [ | ||
| "acm:*", |
There was a problem hiding this comment.
This is the permissions boundary used by assumed roles (e.g. lambda, cloudwatch --> kinesis etc.) so the permissions boundary itself needs to restrict to only those actions and resources we'd expect those roles to use.
| @@ -6,35 +6,218 @@ data "aws_iam_policy_document" "permissions_boundary" { | |||
| effect = "Allow" | |||
|
|
|||
| actions = [ | |||
There was a problem hiding this comment.
This is the deployment role, so a wider range of services need to be accessed - we try here to restrict actions to only those deployments would need. As the permissions boundary doesn't actually grant permissions, we retain the * resource so that the role itself can set specific resource permissions.
| @@ -196,20 +198,62 @@ resource "aws_iam_policy" "api_infrastructure" { | |||
| # ACM for certs | |||
| "acm:DescribeCertificate", | |||
There was a problem hiding this comment.
acm needs * level resource as it's an 'account level' thing.
…-and-passrole-permissions
…-and-passrole-permissions
…-and-passrole-permissions
| Effect = "Allow", | ||
| Action = [ | ||
| # IAM PassRole for specific service roles only | ||
| "iam:PassRole" |
There was a problem hiding this comment.
This specifically addresses the issue around passrole, limiting it to just the roles we want to deploy (and allow AWS services to assume)
| { | ||
| Effect = "Allow", | ||
| Action = [ | ||
| # Key management actions on account-specific keys only |
There was a problem hiding this comment.
IAM customer managed policies should not allow decryption actions on all KMS keys
Restricting here to only those created in the account. Deployment role needs to be able to do this to access assets...
…-and-passrole-permissions
eddalmond1
deleted the
feature/eja-eli-385-remove-wildcard-resource-and-passrole-permissions
branch
2 participants
Description
Context
A few things are flagged up in both our and the pen test security reviews for the github actions role:
IAM customer managed policies should not allow decryption actions on all KMS keys
IAM customer managed policies that you create should not allow wildcard actions for services
IAM - Policies Allows “PassRole” Action For Any Resource
We can address these concerns by further tightening up the Github deployment role and permission boundary policies.
Type of changes
Checklist
Sensitive Information Declaration
To ensure the utmost confidentiality and protect your and others privacy, we kindly ask you to NOT including PII (Personal Identifiable Information) / PID (Personal Identifiable Data) or any other sensitive data in this PR (Pull Request) and the codebase changes. We will remove any PR that do contain any sensitive information. We really appreciate your cooperation in this matter.