cfn-leaprog icon indicating copy to clipboard operation
cfn-leaprog copied to clipboard

Published 20 hours ago verified publisher icon stelligent

Permissions for infra bucket

Open gdelisle opened this issue 3 years ago • 1 comments

I am seeing a couple statements like this in the infrastructure template:

            Sid: "AWSCloudTrailAclCheck"
            Effect: "Allow"
            Principal:
              AWS:
                - "arn:aws:iam::903692715234:root"
                - "arn:aws:iam::859597730677:root"
                - "arn:aws:iam::814480443879:root"
                - "arn:aws:iam::216624486486:root"
                - "arn:aws:iam::086441151436:root"
                - "arn:aws:iam::388731089494:root"
                - "arn:aws:iam::284668455005:root"
                - "arn:aws:iam::113285607260:root"
                - "arn:aws:iam::035351147821:root"
            Action: "s3:GetBucketAcl"
            Resource: !Sub "arn:aws:s3:::${CfnLeastPrivilegeRoleGeneratorBucket}"

That looks to me like full access is being given to the bucket by a whole bunch of AWS accounts that are not mine. I would presume that before I actually use this thing that these should be removed, and replaced with the IAM entities I actually want to have access the bucket? There really should be something in the instructions to that effect. It would also be nice to not need to use the root account for this, but the account I am using to run the tool.

gdelisle avatar Mar 22 '21 15:03 gdelisle

These are actually related with Cloudtrail: https://docs.aws.amazon.com/es_es/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html

cruizba avatar Oct 27 '21 10:10 cruizba