AutoSpotting icon indicating copy to clipboard operation
AutoSpotting copied to clipboard

Published 20 hours ago verified publisher icon LeanerCloud

Limit iam:CreateServiceLinkedRole permission to specific role

Open gabegorelick opened this issue 5 years ago • 4 comments

Github issue

Issue type

  • Feature Idea

Build number

master

Summary

iam:CreateServiceLinkedRole was added in #205 and is a fairly major permission to grant to AutoSpotting. In reality, I think it only needs to create the AWSServiceRoleForEC2Spot service-linked role. Thus, its permissions could be limited to that specific resource.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html.

Steps to reproduce

Deploy

Expected results

AutoSpotting only has permission to create the service-linked role it needs.

Actual results

AutoSpotting has permission to create any service-linked role.

gabegorelick avatar Feb 04 '20 17:02 gabegorelick

@gabegorelick is it possible to restrict this permission only for the AWSServiceRoleForEC2Spot service-linked role?

cristim avatar Feb 04 '20 18:02 cristim

is it possible to restrict this permission only for the AWSServiceRoleForEC2Spot service-linked role?

Yes. I've verified the following works:

Effect: Allow
Action:
  - 'iam:CreateServiceLinkedRole'
Resource:
  - !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot'

I can throw together a PR if you want.

gabegorelick avatar Feb 04 '20 19:02 gabegorelick

By all means!

My IAM policy knowledge needs a refresh, this is awesome, thanks!

cristim avatar Feb 05 '20 04:02 cristim

Fixing this in the next version.

cristim avatar Mar 06 '23 17:03 cristim