cloud-nuke icon indicating copy to clipboard operation
cloud-nuke copied to clipboard

Published 20 hours ago verified publisher icon gruntwork-io

Documentation for minimum IAM policy

Open byarbrough opened this issue 4 years ago • 6 comments

There ought to be documentation for what the minimum IAM policy is to be able to run cloud nuke. This documentation would be valuable so that users can run cloud-nuke with a cron job and not worry about the user being overly permissive.

This was brought up in #106 but prematurely closed.

I know the README lists what services are targeted, but it does not list what specific permissions are needed. For example, does EC2 Auto Scaling need to be able to list everything or just DescribeAutoScalingGroup?

byarbrough avatar Jun 29 '20 17:06 byarbrough

That's a good point... Although also a bit hard to track as we add support for more resources. AWS, unfortunately, doesn't provide any tools for figuring out what permission you need, so this would be a largely manual process.

If anyone has time to go through the API calls and make a list, a PR to update the docs with it is very welcome!

brikis98 avatar Jul 02 '20 08:07 brikis98

Perhaps this is somewhat naive, but would it be sufficient to go through and catalog every aws session call that requires permission?

For example, ami.go L21

output, err := svc.DescribeImages(params)

means that the Amazon EC2 DescribeImages permission is required.

Would this approach miss things? I'm definitely interested in helping out.

byarbrough avatar Jul 02 '20 14:07 byarbrough

I think that would find all the API calls... It's possible that we use a few AWS SDK methods that make multiple API calls in one, but I'm not aware of any off the top of my head.

brikis98 avatar Jul 02 '20 15:07 brikis98

I wrote a script that pulls out all of the svc function calls for each file. There's clearly not a direct mapping between sdk function names and required IAM permissions (i.e. the "wait" functions). But this is a start. I'll continue messing around with it.

 ('ami.go', 'DescribeImages'),
 ('ami_test.go', 'CreateImage'),
 ('ami_test.go', 'DescribeImages'),
 ('ami_test.go', 'WaitUntilImageAvailable'),
 ('ami_test.go', 'WaitUntilImageExists'),
 ('asg.go', 'DeleteAutoScalingGroup'),
 ('asg.go', 'DescribeAutoScalingGroups'),
 ('asg.go', 'WaitUntilGroupNotExists'),
 ('asg_test.go', 'CreateAutoScalingGroup'),
 ('asg_test.go', 'DescribeAutoScalingGroups'),
 ('asg_test.go', 'WaitUntilGroupExists'),
 ('aws.go', 'DescribeRegions'),
 ('ebs.go', 'DeleteVolume'),
 ('ebs.go', 'DescribeVolumes'),
 ('ebs.go', 'WaitUntilVolumeDeleted'),
 ('ebs_test.go', 'AttachVolume'),
 ('ebs_test.go', 'CreateTags'),
 ('ebs_test.go', 'CreateVolume'),
 ('ebs_test.go', 'WaitUntilVolumeAvailable'),
 ('ebs_test.go', 'WaitUntilVolumeInUse'),
 ('ec2.go', 'DeleteInternetGateway'),
 ('ec2.go', 'DeleteNetworkAcl'),
 ('ec2.go', 'DeleteRouteTable'),
 ('ec2.go', 'DeleteSecurityGroup'),
 ('ec2.go', 'DeleteSubnet'),
 ('ec2.go', 'DeleteVpc'),
 ('ec2.go', 'DescribeInstanceAttribute'),
 ('ec2.go', 'DescribeInstances'),
 ('ec2.go', 'DescribeInternetGateways'),
 ('ec2.go', 'DescribeNetworkAcls'),
 ('ec2.go', 'DescribeRouteTables'),
 ('ec2.go', 'DescribeSecurityGroups'),
 ('ec2.go', 'DescribeSubnets'),
 ('ec2.go', 'DescribeVpcs'),
 ('ec2.go', 'DetachInternetGateway'),
 ('ec2.go', 'RevokeSecurityGroupEgress'),
 ('ec2.go', 'RevokeSecurityGroupIngress'),
 ('ec2.go', 'TerminateInstances'),
 ('ec2.go', 'WaitUntilInstanceTerminated'),
 ('ec2_test.go', 'CreateTags'),
 ('ec2_test.go', 'DescribeImages'),
 ('ec2_test.go', 'ModifyInstanceAttribute'),
 ('ec2_test.go', 'RunInstances'),
 ('ec2_test.go', 'WaitUntilInstanceExists'),
 ('ec2_test.go', 'WaitUntilInstanceRunning'),
 ('ec2_unit_test.go', 'CreateDefaultVpc'),
 ('ec2_unit_test.go', 'DescribeVpcs'),
 ('ecs_service.go', 'DeleteService'),
 ('ecs_service.go', 'DescribeServices'),
 ('ecs_service.go', 'ListClusters'),
 ('ecs_service.go', 'ListServices'),
 ('ecs_service.go', 'UpdateService'),
 ('ecs_service.go', 'WaitUntilServicesInactive'),
 ('ecs_service.go', 'WaitUntilServicesStable'),
 ('ecs_utils_for_test.go', 'AddRoleToInstanceProfile'),
 ('ecs_utils_for_test.go', 'CreateCluster'),
 ('ecs_utils_for_test.go', 'CreateInstanceProfile'),
 ('ecs_utils_for_test.go', 'CreateRole'),
 ('ecs_utils_for_test.go', 'CreateService'),
 ('ecs_utils_for_test.go', 'DeleteCluster'),
 ('ecs_utils_for_test.go', 'DeleteInstanceProfile'),
 ('ecs_utils_for_test.go', 'DeleteRole'),
 ('ecs_utils_for_test.go', 'DeleteRolePolicy'),
 ('ecs_utils_for_test.go', 'DeregisterTaskDefinition'),
 ('ecs_utils_for_test.go', 'GetInstanceProfile'),
 ('ecs_utils_for_test.go', 'ListRolePolicies'),
 ('ecs_utils_for_test.go', 'PutRolePolicy'),
 ('ecs_utils_for_test.go', 'RegisterTaskDefinition'),
 ('ecs_utils_for_test.go', 'RemoveRoleFromInstanceProfile'),
 ('ecs_utils_for_test.go', 'WaitUntilServicesStable'),
 ('eip.go', 'CreateTags'),
 ('eip.go', 'DescribeAddresses'),
 ('eip.go', 'ReleaseAddress'),
 ('eip_test.go', 'AllocateAddress'),
 ('eip_test.go', 'CreateTags'),
 ('eip_test.go', 'DescribeAddresses'),
 ('eip_test.go', 'DescribeTags'),
 ('eks.go', 'DeleteCluster'),
 ('eks.go', 'DescribeCluster'),
 ('eks.go', 'ListClusters'),
 ('eks.go', 'WaitUntilClusterDeleted'),
 ('eks_utils_for_test.go', 'AttachRolePolicy'),
 ('eks_utils_for_test.go', 'CreateCluster'),
 ('eks_utils_for_test.go', 'CreateRole'),
 ('eks_utils_for_test.go', 'WaitUntilClusterActive'),
 ('elb.go', 'DeleteLoadBalancer'),
 ('elb.go', 'DescribeLoadBalancers'),
 ('elb_test.go', 'CreateLoadBalancer'),
 ('elb_test.go', 'DescribeLoadBalancers'),
 ('elbv2.go', 'DeleteLoadBalancer'),
 ('elbv2.go', 'DescribeLoadBalancers'),
 ('elbv2.go', 'WaitUntilLoadBalancersDeleted'),
 ('elbv2_test.go', 'CreateLoadBalancer'),
 ('elbv2_test.go', 'DescribeLoadBalancers'),
 ('elbv2_test.go', 'WaitUntilLoadBalancerAvailable'),
 ('elbv2_test.go', 'WaitUntilLoadBalancersDeleted'),
 ('launch_config.go', 'DeleteLaunchConfiguration'),
 ('launch_config.go', 'DescribeLaunchConfigurations'),
 ('launch_config_test.go', 'CreateLaunchConfiguration'),
 ('launch_config_test.go', 'DescribeLaunchConfigurations'),
 ('rds.go', 'DeleteDBInstance'),
 ('rds.go', 'DescribeDBInstances'),
 ('rds.go', 'WaitUntilDBInstanceDeleted'),
 ('rds_cluster.go', 'DeleteDBCluster'),
 ('rds_cluster.go', 'DescribeDBClusters'),
 ('rds_cluster_test.go', 'CreateDBCluster'),
 ('rds_test.go', 'CreateDBInstance'),
 ('rds_test.go', 'DescribeDBInstances'),
 ('s3.go', 'DeleteBucket'),
 ('s3.go', 'DeleteObjects'),
 ('s3.go', 'GetBucketLocation'),
 ('s3.go', 'GetBucketTagging'),
 ('s3.go', 'GetBucketVersioning'),
 ('s3.go', 'ListBuckets'),
 ('s3.go', 'ListObjectVersionsPages'),
 ('s3.go', 'ListObjectsV2Pages'),
 ('s3.go', 'WaitUntilBucketNotExists'),
 ('s3_test.go', 'CreateBucket'),
 ('s3_test.go', 'DeleteObject'),
 ('s3_test.go', 'PutBucketTagging'),
 ('s3_test.go', 'PutBucketVersioning'),
 ('s3_test.go', 'WaitUntilBucketExists'),
 ('snapshot.go', 'DeleteSnapshot'),
 ('snapshot.go', 'DescribeSnapshots'),
 ('snapshot_test.go', 'CreateSnapshot'),
 ('snapshot_test.go', 'DescribeSnapshots'),
 ('snapshot_test.go', 'WaitUntilSnapshotCompleted')]

byarbrough avatar Jul 14 '20 23:07 byarbrough

Nice! Looks like a good start :)

brikis98 avatar Jul 15 '20 09:07 brikis98

Hi @byarbrough, Nice work. Have you had the chance to come up with the final policy?

Cajga avatar May 19 '21 15:05 Cajga

No update for the past 2 years. Will close this comment. Feel free to reopen if there's strong need for this documentation.

james03160927 avatar Oct 24 '23 01:10 james03160927