无论如何,是否可以确定 CloudFormation 模板实际需要哪些 IAM 权限? [英] Is there anyway to determine what IAM permissions I actually need for a CloudFormation template?
问题描述
只是想知道确定我应该为我的 CloudFormation 模板提供哪些权限的最佳实践是什么?
在尝试授予所需的最低权限一段时间后,我发现这确实非常耗时且容易出错.我注意到,根据我的堆栈状态,真的是新的、一些更新的还是删除的,我需要不同的权限.
我想,应该有可能有一些解析器,给定一个 CloudFormation 模板可以确定它需要的最小权限集?
也许我可以让 ec2:*
访问标记为 Cost Center: My Project Name
的资源?这个可以吗?但是我想知道当我更改项目名称时会发生什么?
或者,基于 CloudFormation 部分通常仅在 CodeCommit/Github/CodePipeline 上执行的假设,是否可以假设它可以提供 ec2:*
访问权限,并且它不太可能公开/容易破解?--- 这对我来说听起来像是一个有缺陷的陈述......
短期内可以使用aws-最低权限.但它不支持所有资源类型.>
从长远来看:如本文所述2019 年 re:invent 谈话,CloudFormation 正致力于开源并将其大部分资源类型迁移到新的公共资源架构.这样做的好处之一是您将能够看到执行每个操作所需的权限.
例如对于 AWS::ImageBuilder::Image,模式说
处理程序":{创建": {权限":["iam:GetRole","imagebuilder:GetImageRecipe","imagebuilder:GetInfrastructureConfiguration","imagebuilder:GetDistributionConfiguration","imagebuilder:GetImage","imagebuilder:CreateImage",图像生成器:标签资源"]},读": {权限":[图像生成器:获取图像"]},删除": {权限":["imagebuilder:GetImage","图像生成器:删除图像",图像生成器:UnTagResource"]},列表": {权限":[图像生成器:列表图像"]}}
Just wondering whats the best practice for determining what permissions I should give for my CloudFormation template?
After some time of trying to give the minimal permissions it require, I find that thats really time consuming and error prone. I note that depending on the state of my stack, really new vs some updates vs delete, I will need different permissions.
I guess, it should be possible for there to be some parser that given a CloudFormation template can determine the minimum set of permissions it require?
Maybe I can give ec2:*
access to resources tagged Cost Center: My Project Name
? Is this ok? But I wonder what happens when I change my project name for example?
Alternatively, isit ok to assume its ok to give say ec2:*
access based on the assumption the CloudFormation parts is usually only executed off CodeCommit/Github/CodePipeline and its not something that is likely to be public/easy to hack? --- Tho this sounds like a flawed statement to me ...
In the short term, you can use aws-leastprivilege. But it doesn't support every resource type.
For the long term: as mentioned in this 2019 re:invent talk, CloudFormation is working towards open sourcing and migrating most of its resource types to a new public resource schema. One of the benefits of this is that you'll be able to see the permissions required to perform each operation.
E.g. for AWS::ImageBuilder::Image, the schema says
"handlers": {
"create": {
"permissions": [
"iam:GetRole",
"imagebuilder:GetImageRecipe",
"imagebuilder:GetInfrastructureConfiguration",
"imagebuilder:GetDistributionConfiguration",
"imagebuilder:GetImage",
"imagebuilder:CreateImage",
"imagebuilder:TagResource"
]
},
"read": {
"permissions": [
"imagebuilder:GetImage"
]
},
"delete": {
"permissions": [
"imagebuilder:GetImage",
"imagebuilder:DeleteImage",
"imagebuilder:UnTagResource"
]
},
"list": {
"permissions": [
"imagebuilder:ListImages"
]
}
}
这篇关于无论如何,是否可以确定 CloudFormation 模板实际需要哪些 IAM 权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!