I'm having an issue with a seemingly trivial task of getting CodeDeploy to deploy Github code to an AutoScaling Group in a Blue/Green Deployment.
I have a Pipeline setup, a Deployment Group setup, AutoScaling Group, ELB, and LAUCH CONFIGURATION but it fails when it gets to the actual deployment:
and this my roles in codeDeploy-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "autoscaling:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "cloudwatch:PutMetricAlarm",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribePlacementGroups",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSpotInstanceRequests",
"ec2:DescribeSubnets",
"ec2:DescribeVpcClassicLink"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "autoscaling.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:CompleteLifecycleAction",
"autoscaling:DeleteLifecycleHook",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:PutLifecycleHook",
"autoscaling:RecordLifecycleActionHeartbeat",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:EnableMetricsCollection",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribePolicies",
"autoscaling:DescribeScheduledActions",
"autoscaling:DescribeNotificationConfigurations",
"autoscaling:DescribeLifecycleHooks",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:AttachLoadBalancers",
"autoscaling:AttachLoadBalancerTargetGroups",
"autoscaling:PutScalingPolicy",
"autoscaling:PutScheduledUpdateGroupAction",
"autoscaling:PutNotificationConfiguration",
"autoscaling:PutLifecycleHook",
"autoscaling:DescribeScalingActivities",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:TerminateInstances",
"tag:GetResources",
"sns:Publish",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "*"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:PassRole",
"ec2:CreateTags",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
Is there a policy that I'm not considering that needs to be attached to this role?
As I understood,I would rather following steps.
You need to create a CodeDeployServiceRole and you just used built in policy.
Create a CodeDeploy application and deployment group and assign your CodeDeployServiceRole there.
In launch configuration you don't have to worry about CodeDeploy and just config you instance profile with required policies for instance operations.
Related
Creating an IAM inline policy to allow the IAM user to attach a max of 20GB EBS volume, and only allow t2.micro Ubuntu instance from us-east-2 region. I have copied the ami for the same but in the conosle for IAM user it shows API error when trying to run the EC2 instance, what might be the problem.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AdminPermissions",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:GetCommandInvocation",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateTags"
],
"Resource": "*"
},
{
"Sid": "RunInstanceResourcePermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::network-interface/*",
"arn:aws:ec2:::security-group/*",
"arn:aws:ec2:::subnet/*",
"arn:aws:ec2:*::image/ami-0885b1f6bd170450c"
]
},
{
"Sid": "LimitInstanceVolumeSize",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::volume/*"
],
"Condition": {
"NumericLessThanEquals": {
"ec2:VolumeSize": "20"
}
}
},
{
"Sid": "LimitInstanceTypes",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:::instance/ami-0885b1f6bd170450c"
],
"Condition": {
"StringEquals": {
"ec2:InstanceType":
"t2.nano"
}
}
}
]
}
I want to create and IAM policy in which the IAM user will not be able to launch any instance other than t2.micro Ubuntu in us-east-1 region. I have added the ami in IAM policybut instead of allowing just the Ubuntu ami, AWS is allowing the IAM user to launch all instances. What might be the problem
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
}
]
}
this should point you in the right direction
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"TheseActionsDontSupportResourceLevelPermissions",
"Effect":"Allow",
"Action":[
"ec2:Describe*"
],
"Resource":"*"
},
{
"Sid":"TheseActionsSupportResourceLevelPermissions",
"Effect":"Allow",
"Action":[
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource":"arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c",
"Condition":{
"ForAnyValue:StringLike":{
"ec2:ImageType":"t2.micro"
}
}
}
]
}
I would recommend using Deny rules to disallow launching instances if the wrong instance type or the wrong ami is used. Note that I removed the Sid parameter as it is optional.
An explicit Deny rule will override any Allow rules. That makes it easier to disallow unwanted actions, instead of trying to carve out the allowed action. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
Try the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ec2:ImageType": "t2.micro"
}
}
},
{
"Effect": "Deny",
"Action": [
"ec2:RunInstances"
],
"NotResource": "arn:aws:ec2:us-east-1:196687784845:instance/ami-0885b1f6bd170450c"
}
]
}
I am trying to setup and assign a policy so that a user can only trigger AWS Systems Manager Services (SSM) Run Commands on only authorized or assigned EC2 instances to them.
To do this, I am following instructions from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sysman-configuring-access-iam-create.html and as per it, I created below custom policy with provisioning access for only 1 EC2 instance:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::test-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1:123456789012:document/AWS-RunPowerShellScript"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
After I assigned above policy to a test user and when I log in using it and navigate to "Run Command", under Target Instances I see other EC2 instances as well and I am even able to execute commands to them as well. Shouldn't the user only see the 1 instance that is specified in above policy?
I do not understand what am I doing wrong here and how to fix it? Appreciate your help.
Thanks!
I have below IAM policy assigned to all my EC2 system instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricData"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstanceStatus"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ds:CreateComputer",
"ds:DescribeDirectories"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:DescribeLogGroups",
"logs:DescribeLogStreams",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::amazon-ssm-packages-*"
}
]
}
Also, I have below IAM policy assigned to test user to so that they can Start/Stop/Restart EC2 instances:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:RebootInstances"
],
"Resource": "arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/Name": "TESTSERV"
}
}
}
]
}
I was able to make this work by adjusting policy as below:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:ListDocuments",
"ssm:DescribeDocument*",
"ssm:GetDocument",
"ssm:DescribeInstance*"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ssm:SendCommand",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:us-east-1:123456789012:instance/i-1234567890abcdef0",
"arn:aws:s3:::nsight-ssm-logs/TESTSERV",
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
]
},
{
"Action": [
"ssm:CancelCommand",
"ssm:ListCommands",
"ssm:ListCommandInvocations"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DescribeInstanceStatus",
"Effect": "Allow",
"Resource": "*"
}
]
}
My requirement was to only allow execution of PowerShell scripts so the line:
"arn:aws:ssm:us-east-1::document/AWS-RunPowerShellScript"
You can replace AWS-RunPowerShellScript with * to allow all commands.
Also, the EC2 Role assignment was necessary since without it I couldn't see any instances under Run Command.
Please also know that the user would see all instances under Run Command but will only be able to execute commands for the EC2 instances for which the policies are assigned to, user account. I do not think there is any option to suppress this.
Thanks for your contribution and helpful tips.
I am trying to grant to an IAM password user full access to an Elastic Beanstalk application (create/modify/delete environments). Following the AWS doc here results in the user being able to see the Application but being unable to view Environments or create new ones (message: Access Denied, without further specification).
Here is the current policy that is attached:
{
"Version": "XXX-XX-XX",
"Statement": [
{
"Sid": "StmtXXXXXXXXX",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:*",
"autoscaling:*"
],
"Resource": [
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:application/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:applicationversion/<app-name>",
"arn:aws:elasticbeanstalk:eu-west-1:<accountId>:environment/<app-name>/*",
"arn:aws:elasticbeanstalk:us-west-1::solutionstack/*"
]
},
{
"Action": [
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation",
"autoscaling:DescribeAutoScalingGroups"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Has anyone done this yet?
This is what I use. I couldn't be asked to go further in separating it. You can use tags for as well.
What I have done more is to run more and more things in separate accounts. If there are separate apps there are little or no reason to have them in the same account anyway. You can have cross account access for users. https://aws.amazon.com/blogs/security/how-to-enable-cross-account-access-to-the-aws-management-console/
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"elasticbeanstalk:CreateStorageLocation",
"sqs:Get*",
"sqs:List*",
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"cloudformation:UpdateStack",
"cloudformation:DescribeStacks",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"s3:PutObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:eu-west-1:12345678910:loadbalancer/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:eu-west-1:12345678910:application/My App"
]
}
}
}
]
}
I want to update and deploy a new version on Elastic Beanstalk from my continuous deployment system (Codeship) but also want to lock down the rights that the deployment user has.
What is the minimum set if rights needed?
This IAM policy provides all necessary permissions to perform the "Upload and Deploy" function:
for a new Application Version
in a specified Elastic Beanstalk Environment.
Replace the following:
Replace $REGION with the specific region, for example: us-east-1
Replace $ACCOUNT with the account number (without dashes), for example: 123456789012
Replace $APPLICATION with the specific application, for example: My Beanstalk Application
Replace $ENVIRONMENT with the specific environment, for example: My Beanstalk Environment
Node: if you push logs to CloudWatch you will need additional policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAutoscalingSuspendAndResumeProcesses",
"Action": [
"autoscaling:SuspendProcesses",
"autoscaling:ResumeProcesses"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "AllowElasticBeanstalkValidateConfigurationSettings",
"Action": [
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
}
}
},
{
"Sid": "AllowS3PutAndDeleteObjectInProperBucket",
"Action": [
"s3:Put*",
"s3:Delete*"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::elasticbeanstalk-$REGION-$ACCOUNT/*"
]
},
{
"Sid": "AllowElasticBeanstalkCreateStorageLocation",
"Action": [
"elasticbeanstalk:CreateStorageLocation"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowElasticBeanstalkCreateApplicationVersion",
"Action": [
"elasticbeanstalk:CreateApplicationVersion"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
}
}
},
{
"Sid": "AllowElasticBeanstalkUpdateEnvironment",
"Action": [
"elasticbeanstalk:UpdateEnvironment"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:environment/$APPLICATION/$ENVIRONMENT"
],
"Condition": {
"StringEquals": {
"elasticbeanstalk:InApplication": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:application/$APPLICATION"
]
},
"StringLike": {
"elasticbeanstalk:FromApplicationVersion": [
"arn:aws:elasticbeanstalk:$REGION:$ACCOUNT:applicationversion/$APPLICATION/*"
]
}
}
},
{
"Sid": "AllowElasticBeanstalkReadOnlyAccess",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:Check*",
"elasticbeanstalk:Describe*",
"elasticbeanstalk:List*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*",
"rds:Describe*",
"sqs:Get*",
"sqs:List*"
],
"Resource": "*"
}
]
}