Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can I make the CloudFormationExecutionRole have least privilege? #3282

Open
pjxiao opened this issue Sep 16, 2021 · 4 comments
Open

Can I make the CloudFormationExecutionRole have least privilege? #3282

pjxiao opened this issue Sep 16, 2021 · 4 comments
Labels
area/pipeline maintainer/need-followup type/feature Feature request

Comments

@pjxiao
Copy link

pjxiao commented Sep 16, 2021

Describe your idea/feature/enhancement

I hope that the CloudFormationExecutionRole have least privilege.
Currently SAM-CLI attaches the following policy to the execution role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

This seems to allow CloudFormation to create/delete anything in an account including IAM resouces, even if I just wan't to deploy an API.

Proposal

I hope that there were policy templates for tipical usecases such as an API or an S3 event handler.

Additional Details
@hoffa
Copy link
Contributor

hoffa commented Sep 16, 2021
edited
Loading

CloudFormation assumes the execution role to deploy applications (which can consist of arbitrary resources). You can create an IAM role with reduced permissions and pass its ARN during the bootstrapping process (e.g. through sam pipeline init --bootstrap or sam pipeline bootstrap).

@pjxiao
Copy link
Author

pjxiao commented Sep 17, 2021

@hoffa
Yes, the bootstrap subcommand allows us to pass a role ARN. But we need to create an IAM role in advance by ourselves. I feel that writing an IAM policy is one of the hardest parts of deployment. So I hope that the bootstrap subcommand allowed us to chose more restrictive version of an exceution role policy.

Thanks,

@hoffa hoffa added the type/feature Feature request label Sep 17, 2021
@zhan9san
Copy link
Contributor

I am working on this feature and will document them once it gets finalized.

It's almost done.

@Goblinlordx
Copy link

Goblinlordx commented Oct 12, 2023
edited
Loading

This seems a bit old. Can we at least consider denying IAM access to this role? It seems unsafe as it allows privilege escalation via creation of an administrative IAM role/user via cloudformation. I think if, at least, this is denied, it would provide a much more secure role. It might also be a good idea to maybe prevent allowing importing resources via cloudformation by default? Maybe this could be skipped but the IAM part seems almost necessary.

Edit: Actually, IAM permissions are needed, at least, to some extent. Creating roles and policies is definitely a need. I feel like there should still be a way to prevent allowing access to resources outside what is defined by a stack as well as preventing things like creating an administrative user/role/policy via the stack.

@HijadelUFO HijadelUFO mentioned this issue Jan 1, 2024
Open
This was referenced Jan 2, 2024
Open
Open
@dexterinbk dexterinbk mentioned this issue Mar 15, 2024
Open
@jpalomar jpalomar mentioned this issue Mar 16, 2024
Closed
@HijadelUFO HijadelUFO mentioned this issue Mar 16, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/pipeline maintainer/need-followup type/feature Feature request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pjxiao @hoffa @Goblinlordx @zhan9san @aws-sam-cli-bot