I have create a stack, in there we create a lambda, execute some code from SDK, access to s3, write to dynamo and some other stuff, the problem now is that we are trying to deploy to a different account/region that we never deploy again, but now we are facing a lot of issues related to permissions, some of them my team already see them and are properly documented, but other cases, other teams may be facing those errors and we do not have that context, we try to go one by one as they appears but is something painful and my question is if there is a way to describe/analyze the policies that the rol that I assume has in order to execute that stack before the provisioning or how I can figure out which permission my resource needs? or basically it is go throughout all permission one by one
I'd really like something like this to exist but I do not foresee a reliable one being developed anytime soon. However, since I've been down that road myself I would suggest you something a bit more manageable.
AWS CloudFormation service role allows you to pass a role with greater permissions than the one gave to a normal user. In a nutshell, you must first create a role with some decently large permissions or even administrative permissions. Then you need to allow normal users to perform the iam:PassRole action for that resource (the role). Lastly, when you deploy a CloudFormation stack, make sure you specify the role you created as the "service role" in the stack options.
From a security standpoint there is pros and cons to both using a service role or giving a lot of different permissions to normal users. You have to assess for yourself if it's a risk you can manage.
Related
I am getting the following error:
Cannot open this file because of an error: must
reference a valid S3 object to which you have access
Let me lay out some context that will prevent incorrect responses.
I am using an account I have had for several years.
I have tried using both the root and AdministratorAccess enabled IAM role.
I have created an account managed by this account as a parent and tried there.
I am using a CloudFormation template from AWS Well Architected Labs.
I log in to console, go to CloudFormation, select create stack and that is when I hit the blocker. Despite the error, CloudFormation CREATES the bucket and object.
Here is the really strange parts:
My colleague tried to recreate. He did not encounter same issue.
I set up a brand new account, completely separate from this one (i.e. not managed in the organization) and I could not recreate.
That is correct, when I set up a new account, completely separate, the stack would create just fine.
I thought maybe over the years, I had accumulated some bad policies or roles that were causing me issues - so I cleaned up shop right down to bare essentials. STILL getting the error.
Right now, I can just use my brand spanking new account and I don't need to worry about this. However, I am completely stumped by what is causing this issue. I cannot see any reason why this error is appearing. And I would really like to continue to use my main account which I have held for several years and has all my domains registered.
I am using Admin IAM roles and even Root accounts. I am experiencing same issue in child accounts to my parent accounts but NOT in completely separate accounts. I see no policy, role or any other restriction listed anywhere on AWS that restricts CloudFormation in any way. It is even creating buckets and objects when I click "Create Stack".
I am completely stumped and I guess I would like to be ale to understand what has corrupted my account and its ability to use this feature?
We're adding a GCP project to be used for greenfield development, e.g. sort of a developer sandbox. My inclination is to give application/service developers full permissions in that project, to reduce friction and let them get stuff done as quickly and easily as possible.
We then have a separate beta project which we use where we prepare work for production, where application/service developers would have limited-to-no access, but the devops team could productionize things. And then, of course, we have the production project, where everything is locked down tight.
Is a sandbox like this a good idea? What permission(s) would I grant? Owner? GCP recommends not using those legacy roles...
List all of what each team is allowed to do on each env.
Translate this to a list of IAM permissions per team per env.
If there is some predefined role/s that matches exactly these permissions then use that role/s
If not, then create your own custom role/s for each team per each env.
For example, in the sandbox env:
if developers team is only allowed to create GKE clusters and deploy workloads to these GKEs then list all required permissions for such operation and find a predefined role that have permissions that only allows this operation. See here.
Or, if this is too wide and does not apply the least privilege concept for you then create your own custom role.
I personally don't recommend to restrict the IAM permission. Indeed, in a sandbox project, you want to try things, and maybe thing totally outside of the box and unexpected as usual way of working/processing. Using IAM to limit the set of allowed product restrict the creativity and protect you against (almost) nothing.
Indeed, if you want to perform security restriction it's for what? Limit the access to the service in Beta environment? Not sure... Prevent the overuse of resources in a non-production (and no profitable) environment? I think yes!
That's why, I recommend to use the Quotas to restrict the number of resources available for a project (i.e. only 10 CPUs in 1 region and not 3600 in 20 regions as by default). Like that, the app team will be able to try and experiment safely, without any restriction, but without killing your budget.
We're (mostly happily ;)) using the AWS CDK to deploy our application stack to multiple environments (e.g. production, centralized dev, individual dev).
Now we want to increase the security by applying the least privilege principle to the deployment role. As the CDK code already has all the information about which services it will touch, is there a best practice as to how to generate the role definition?
Obviously it can't be a part of the stack as it is needed to deploy the stack.
Is there any mechanism built in to the CDK (e.g. construct CloudFrontDistribution is used thus the deployment role needs to have the permission to create, update and delete CloudFrontDistributions - possibly even after the CloudFrontDistribution is mapped to only do that to that one distribution).
Any best practices as how to achieve that?
No. Sadly there isn't currently (2022-Q3) a way to have the CDK code also provide a IAM policy that would grant you access to run that template and nothing more.
However, everything is there to do it, and thanks to aspects it could probably be done relatively easily if you wanted to put in the leg work. I know many people in the community would love to have this.
You run into a chicken and an egg problem here. (We encounter a similar issue with Secret Manager and initializing secrets) pretty much the only solution I've found that works is a first time setup script that uses an SDK or the CLI to run the necessary commands for that first time setup. Then you can reference that beyond there.
However, it also depends on what roles you're taking about. Cdk deploy pretty much needs access to any given resource you may be setting up - but you can limit it through users. Your kept in a secret lock box root admin setup script can setup a single power user, that can then be used for initial cdk deploys. You can set up additional user groups that have the ability to deploy cdk or have that initial setup create a cdk role that cdk deploy can assume.
I'm learning AWS ECS Fargate, well I created a Task Role for my ECS Containers, and I have just added some custom and non custom polices to the role.
I can see my new role with 6 different polices attached. Anyway I saw an example were many policies were nested in the json policy file and they were separated by the SID name.
I wonder which one is the best approach: to attach many policies or to build one single json policy file with all the policies nested and separated by SID?, thanks a lot.
It really doesn't matter. Whatever is easier to maintain for you personally.
As a rule of thumb, I create managed policies if I expect to reuse it later. This way I can just reference it in new role without writing all the same stuff all over again. If it's a policy which will never be reused, then I do it in-line.
I need to allow developers to access resources on my AWS account.
They will be lunching instances and RDS, possibly some other resources.
What is the best way to achieve this?
IAM roles seem complicated with policies.
Should I lunch instances then give them SSH access?
What are your suggestions?
Thank you!
You should create an IAM User for each developer. Put them in an IAM Group and assign permissions to the Group.
However, this assumes that you are willing to trust them in your account, for which you should think twice. If you give them permissions to launch services, they might launch more than necessary, causing extra expense. If you give them permission to delete resources, they might accidentally delete resources being used by other people.
If they are just "playing around" with AWS to get an idea of what can be done, create a sandbox account where they can't do much harm. Keep this separate to your production account, where you'll keep resources that you don't want destroyed.
Or, if you just want them to develop software and not play with AWS directly, then do as you suggested and create the resources yourself, but give them access for software development purposes.
Bottom line: It all depends on what the developers want to do and what you're willing to let them do.
If it isa small environment, you can give ssh access to developeres.
But the infra is pretty big, then i prefer to go with IAM