fullstop icon indicating copy to clipboard operation
fullstop copied to clipboard
verified publisher icon zalando-stups

Report EMR instances with inappropriate IAM role(s)

Open hjacobs opened this issue 10 years ago • 1 comments

Elastic Map Reduce (EMR) instances (using Amazon’s EMR AMIs) MAY be started, but MUST NOT get any access to the central IAM infrastructure through robot users.

All IAM roles of all EMR instances (running Amazon AMIs) must be checked to not allow privilege escalation, i.e. they should not allow downloading security credentials (generated by Mint) from S3. A reasonable approach would be to only allow white-listed usage of non-Mint S3 buckets (most EMR use cases just need S3 access).

Mint: http://stups.readthedocs.org/en/latest/components/mint.html

hjacobs avatar Apr 16 '15 15:04 hjacobs

@hjacobs if I get it.

  • Parse policy
  • get all s3 rules
  • get from kio all configured mint bucket (because bucket are global, so I can't filter it)
  • check if is the case

Right?

mrandi avatar Mar 18 '16 12:03 mrandi