无论如何，是否可以确定CloudFormation模板实际上需要什么IAM权限？ [英] Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

问题描述

只是想知道确定我应该为CloudFormation模板赋予哪些权限的最佳实践是什么？

经过一段时间尝试提供所需的最小权限后，我发现这确实很耗时且容易出错。我注意到根据我的堆栈状态，真的是新的还是一些更新还是删除，我将需要不同的权限。

我想，应该有某种解析器可以让给定的CloudFormation模板确定所需的最小权限集？

也许我可以授予 ec2：* 访问标记为 Cost Center：My Project的资源的权限名称？这个可以吗？但是我想知道当我更改项目名称时会发生什么？

或者，基于CloudFormation部分的假设，也可以确定给出 ec2：* 访问权限通常仅在CodeCommit / Github / CodePipeline上执行，而不会被公开/轻易破解吗？ ---这听起来像对我来说是一个有缺陷的声明...

解决方案

在短期内，您可以使用 aws-leastprivilege 。 但这并不支持每种资源类型。 p>

长期而言：如本2019年re：invent演讲所述，CloudFormation致力于开放源代码并将其大部分资源类型迁移到新的公共资源架构。这样做的好处之一是，您将能够看到执行每个操作所需的权限。

例如对于 AWS :: ImageBuilder :: Image ，该模式表示

 处理程序：{
创建：{
权限：[[
 iam：GetRole，
 imagebuilder：GetImageRecipe，
 imagebuilder：GetInfrastructureConfiguration，
 imagebuilder：GetDistributionConfiguration，
 imagebuilder： GetImage，
 imagebuilder：CreateImage，
 imagebuilder：TagResource 
] 
}，
读取：{
权限： [
 imagebuilder：GetImage 
] 
}，
 delete：{
 permissions：[[
 imagebuilder：GetImage，
 imagebuilder：DeleteImage，
  imagebuilder：UnTagResource 
] 
}，
 list：{
 permissions：[
 imagebuilder：ListImages 
] 
} 
} 
  

Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?

After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.

I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?

Maybe I can give ec2:* access to resources tagged Cost Center: My Project Name? Is this ok? But I wonder what happens when I change my project name for example?

Alternatively, isit ok to assume its ok to give say ec2:* access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...

解决方案

In the short term, you can use aws-leastprivilege. But it doesn't support every resource type.

For the long term: as mentioned in this 2019 re:invent talk, CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema. One of the benefits of this is that you'll be able to see the permissions required to perform each operation.

E.g. for AWS::ImageBuilder::Image, the schema says

    "handlers": {
        "create": {
            "permissions": [
                "iam:GetRole",
                "imagebuilder:GetImageRecipe",
                "imagebuilder:GetInfrastructureConfiguration",
                "imagebuilder:GetDistributionConfiguration",
                "imagebuilder:GetImage",
                "imagebuilder:CreateImage",
                "imagebuilder:TagResource"
            ]
        },
        "read": {
            "permissions": [
                "imagebuilder:GetImage"
            ]
        },
        "delete": {
            "permissions": [
                "imagebuilder:GetImage",
                "imagebuilder:DeleteImage",
                "imagebuilder:UnTagResource"
            ]
        },
        "list": {
            "permissions": [
                "imagebuilder:ListImages"
            ]
        }
    }

这篇关于无论如何，是否可以确定CloudFormation模板实际上需要什么IAM权限？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！