kubernetes-guides icon indicating copy to clipboard operation
kubernetes-guides copied to clipboard
verified publisher icon pulumi

[AWS] Reduce dependency on high-privilege objects from @pulumi/eks

Open hausdorff opened this issue 6 years ago • 1 comments

Currently @pulumi/eks requires very expansive permissions:

  • Create/delete permissions for IAM Roles, RolePolicyAttachments, InstanceProfile, etc.
  • Create/delete permissions for SecurityGroup and SecurityGroupRule.
  • Create/delete permissions for various EC2 resource types, like ASGs.

We should change the EKS package to allow us to deploy the IAM and SecurityGroup resources separately from the EKS compute resources, like ASGs. Notably, we already don't provision VPCs for the user, so there is some precedent for this.

Rationale: is that IAM and SecurityGroup are perhaps the highest blast radius resource types in the AWS API. In particular, they have among the most serious security implications when misconfigured. Admin permissions should therefore be granted very, very sparingly.

It should be simple to split out the SecurityGroups; for IAM, the industry-standard best practice is to have a three-tiered permissions model:

  • [Very small] IAM admins: have administrative permissions over IAM.
  • [Most/all of engineering] IAM users: are allowed to pass existing roles to other resources, but can't create their own. Users in this group can also administrate their own passwords.
  • [Everything else] No IAM Permissions: no permissions whatsoever.

hausdorff avatar Jan 22 '19 08:01 hausdorff

cc @pgavlin

hausdorff avatar Jan 22 '19 08:01 hausdorff