无论如何，是否可以确定 CloudFormation 模板实际需要哪些 IAM 权限? [英] Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?

问题描述

只是想知道确定我应该为我的 CloudFormation 模板提供哪些权限的最佳实践是什么?

在尝试授予所需的最低权限一段时间后，我发现这确实非常耗时且容易出错.我注意到，根据我的堆栈状态，真的是新的、一些更新的还是删除的，我需要不同的权限.

我想，应该有可能有一些解析器，给定一个 CloudFormation 模板可以确定它需要的最小权限集?

也许我可以让 ec2:* 访问标记为 Cost Center: My Project Name 的资源?这个可以吗?但是我想知道当我更改项目名称时会发生什么?

或者，基于 CloudFormation 部分通常仅在 CodeCommit/Github/CodePipeline 上执行的假设，是否可以假设它可以提供 ec2:* 访问权限，并且它不太可能公开/容易破解?--- 这对我来说听起来像是一个有缺陷的陈述......

解决方案

短期内可以使用aws-最低权限.但它不支持所有资源类型.>

从长远来看:如本文所述2019 年 re:invent 谈话，CloudFormation 正致力于开源并将其大部分资源类型迁移到新的公共资源架构.这样做的好处之一是您将能够看到执行每个操作所需的权限.

例如对于 AWS::ImageBuilder::Image，模式说

 处理程序":{创建": {权限":["iam:GetRole","imagebuilder:GetImageRecipe","imagebuilder:GetInfrastructureConfiguration","imagebuilder:GetDistributionConfiguration","imagebuilder:GetImage","imagebuilder:CreateImage",图像生成器:标签资源"]},读": {权限":[图像生成器:获取图像"]},删除": {权限":["imagebuilder:GetImage","图像生成器:删除图像",图像生成器:UnTagResource"]},列表": {权限":[图像生成器:列表图像"]}}

Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?

After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.

I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?

Maybe I can give ec2:* access to resources tagged Cost Center: My Project Name? Is this ok? But I wonder what happens when I change my project name for example?

Alternatively, isit ok to assume its ok to give say ec2:* access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...

解决方案

In the short term, you can use aws-leastprivilege. But it doesn't support every resource type.

For the long term: as mentioned in this 2019 re:invent talk, CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema. One of the benefits of this is that you'll be able to see the permissions required to perform each operation.

E.g. for AWS::ImageBuilder::Image, the schema says

    "handlers": {
        "create": {
            "permissions": [
                "iam:GetRole",
                "imagebuilder:GetImageRecipe",
                "imagebuilder:GetInfrastructureConfiguration",
                "imagebuilder:GetDistributionConfiguration",
                "imagebuilder:GetImage",
                "imagebuilder:CreateImage",
                "imagebuilder:TagResource"
            ]
        },
        "read": {
            "permissions": [
                "imagebuilder:GetImage"
            ]
        },
        "delete": {
            "permissions": [
                "imagebuilder:GetImage",
                "imagebuilder:DeleteImage",
                "imagebuilder:UnTagResource"
            ]
        },
        "list": {
            "permissions": [
                "imagebuilder:ListImages"
            ]
        }
    }

这篇关于无论如何，是否可以确定 CloudFormation 模板实际需要哪些 IAM 权限?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！