instance-scheduler-on-aws icon indicating copy to clipboard operation
instance-scheduler-on-aws copied to clipboard

Published 20 hours ago verified publisher icon aws-solutions

EBS KMS permissions not included in remote role

Open markyates opened this issue 3 years ago • 2 comments 

const ec2Permissions = new iam.Policy(this, "Ec2Permissions", {
  statements: [
    new PolicyStatement({
      actions: [
        'ec2:ModifyInstanceAttribute'
        'kms:CreateGrant',
      ],
      effect: Effect.ALLOW,
      resources: [
        cdk.Fn.sub("arn:${AWS::Partition}:ec2:*:${AWS::AccountId}:instance/*")
      ]
    }),
    ec2PolicyAssumeRoleStatement
  ],
  roles: [schedulerRole]
})

As you can see the github links above contains the main TS templates that generates the CFN yaml/json templates.

Please feel free to copy the ec2Permissions code and create a new policy with kms permissions , or you can add the permission to the existing one, I would recommend adding a github issues to allow the team taking such requirement into consideration within the solution.

markyates avatar May 06 '21 14:05 markyates

@markyates Sorry about the issue, we will review this and add it to the solution backlog. It will be prioritized for a future release.

gockle avatar May 07 '21 14:05 gockle

Adding a permission to provide scheduler role to have access to all the KMS keys in the account will have unintended security issues, we will review this scenario for the solution, but this PR will not be merged into the repository. I would suggest to narrow down the permission to KMS keys in your account to only the ones that the scheduler really requires.

rakshb avatar Apr 22 '22 15:04 rakshb