From b67b91e3744a283b8590dc4900efbb2d75bbe9d8 Mon Sep 17 00:00:00 2001
From: David Killmon <killmond+gh@amazon.com>
Date: Thu, 25 Jun 2020 08:51:01 -0700
Subject: [PATCH] feat: tighten permissions on task/execution role

Remove named based resource permissions in task role. Folks can use
addons feature to add arbitrary permissions to their task roles.

Add conditions to execution role to only pull secrets and params
that are tagged with copilot tags.
---
 .../services/common/cf/executionrole.yml      | 20 ++++++--
 templates/services/common/cf/taskrole.yml     | 51 -------------------
 2 files changed, 17 insertions(+), 54 deletions(-)

diff --git a/templates/services/common/cf/executionrole.yml b/templates/services/common/cf/executionrole.yml
index f2b19bfd0d9..00c237d3663 100644
--- a/templates/services/common/cf/executionrole.yml
+++ b/templates/services/common/cf/executionrole.yml
@@ -15,11 +15,25 @@ ExecutionRole:
             - Effect: 'Allow'
               Action:
                 - 'ssm:GetParameters'
-                - 'secretsmanager:GetSecretValue'
-                - 'kms:Decrypt'
               Resource:
                 - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*'
+              Condition:
+                StringEquals:
+                  'ssm:ResourceTag/copilot-application': !Sub '${AppName}'
+                  'ssm:ResourceTag/copilot-environment': !Sub '${EnvName}'
+            - Effect: 'Allow'
+              Action:
+                - 'secretsmanager:GetSecretValue'
+              Resource:
                 - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*'
+              Condition:
+                StringEquals:
+                  'secretsmanager:ResourceTag/copilot-application': !Sub '${AppName}'
+                  'secretsmanager:ResourceTag/copilot-environment': !Sub '${EnvName}'
+            - Effect: 'Allow'
+              Action:
+                - 'kms:Decrypt'
+              Resource:
                 - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
     ManagedPolicyArns:
-      - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
\ No newline at end of file
+      - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
diff --git a/templates/services/common/cf/taskrole.yml b/templates/services/common/cf/taskrole.yml
index 0f28ec9801f..495eaa0bf89 100644
--- a/templates/services/common/cf/taskrole.yml
+++ b/templates/services/common/cf/taskrole.yml
@@ -25,54 +25,3 @@ TaskRole:
                 StringEquals:
                   'iam:ResourceTag/copilot-application': !Sub '${AppName}'
                   'iam:ResourceTag/copilot-environment': !Sub '${EnvName}'
-      - PolicyName: 'AllowPrefixedResources'
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: 'Allow'
-              Action: '*'
-              Resource:
-                - !Sub 'arn:aws:s3:::${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:elasticache:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:*:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:rds:${AWS::Region}:${AWS::AccountId}:*:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-      - PolicyName: 'AllowTaggedResources' # See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: 'Allow'
-              Action: '*'
-              Resource: '*'
-              Condition:
-                StringEquals:
-                  'aws:ResourceTag/copilot-application': !Sub '${AppName}'
-                  'aws:ResourceTag/copilot-environment': !Sub '${EnvName}'
-            - Effect: 'Allow'
-              Action: '*'
-              Resource: '*'
-              Condition:
-                StringEquals:
-                  'secretsmanager:ResourceTag/copilot-application': !Sub '${AppName}'
-                  'secretsmanager:ResourceTag/copilot-environment': !Sub '${EnvName}'
-      - PolicyName: 'CloudWatchMetricsAndDashboard'
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: 'Allow'
-              Action:
-                - 'cloudwatch:PutMetricData'
-              Resource: '*'
-            - Effect: 'Allow'
-              Action:
-                - 'cloudwatch:GetDashboard'
-                - 'cloudwatch:ListDashboards'
-                - 'cloudwatch:PutDashboard'
-                - 'cloudwatch:ListMetrics'
-              Resource: '*'
\ No newline at end of file