无论如何,是否可以确定CloudFormation模板实际上需要什么IAM权限? [英] Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?
问题描述
只是想知道确定我应该为CloudFormation模板赋予哪些权限的最佳实践是什么?
经过一段时间尝试提供所需的最小权限后,我发现这确实很耗时且容易出错。我注意到根据我的堆栈状态,真的是新的还是一些更新还是删除,我将需要不同的权限。
我想,应该有某种解析器可以让给定的CloudFormation模板确定所需的最小权限集?
也许我可以授予 ec2:*
访问标记为 Cost Center:My Project的资源的权限名称
?这个可以吗?但是我想知道当我更改项目名称时会发生什么?
或者,基于CloudFormation部分的假设,也可以确定给出 ec2:*
访问权限通常仅在CodeCommit / Github / CodePipeline上执行,而不会被公开/轻易破解吗? ---这听起来像对我来说是一个有缺陷的声明...
在短期内,您可以使用 aws-leastprivilege 。 但这并不支持每种资源类型。 p>
长期而言:如本2019年re:invent演讲所述,CloudFormation致力于开放源代码并将其大部分资源类型迁移到新的公共资源架构。这样做的好处之一是,您将能够看到执行每个操作所需的权限。
例如对于 AWS :: ImageBuilder :: Image ,该模式表示
处理程序:{
创建:{
权限:[[
iam:GetRole,
imagebuilder:GetImageRecipe,
imagebuilder:GetInfrastructureConfiguration,
imagebuilder:GetDistributionConfiguration,
imagebuilder: GetImage,
imagebuilder:CreateImage,
imagebuilder:TagResource
]
},
读取:{
权限: [
imagebuilder:GetImage
]
},
delete:{
permissions:[[
imagebuilder:GetImage,
imagebuilder:DeleteImage,
imagebuilder:UnTagResource
]
},
list:{
permissions:[
imagebuilder:ListImages
]
}
}
Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?
After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.
I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?
Maybe I can give ec2:*
access to resources tagged Cost Center: My Project Name
? Is this ok? But I wonder what happens when I change my project name for example?
Alternatively, isit ok to assume its ok to give say ec2:*
access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...
In the short term, you can use aws-leastprivilege. But it doesn't support every resource type.
For the long term: as mentioned in this 2019 re:invent talk, CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema. One of the benefits of this is that you'll be able to see the permissions required to perform each operation.
E.g. for AWS::ImageBuilder::Image, the schema says
"handlers": {
"create": {
"permissions": [
"iam:GetRole",
"imagebuilder:GetImageRecipe",
"imagebuilder:GetInfrastructureConfiguration",
"imagebuilder:GetDistributionConfiguration",
"imagebuilder:GetImage",
"imagebuilder:CreateImage",
"imagebuilder:TagResource"
]
},
"read": {
"permissions": [
"imagebuilder:GetImage"
]
},
"delete": {
"permissions": [
"imagebuilder:GetImage",
"imagebuilder:DeleteImage",
"imagebuilder:UnTagResource"
]
},
"list": {
"permissions": [
"imagebuilder:ListImages"
]
}
}
这篇关于无论如何,是否可以确定CloudFormation模板实际上需要什么IAM权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!