Closed cixelsyd closed 2 years ago
shyawnkarim
commented
3 years ago Thanks for these suggestions. We strive to strike a balance between ease of use and limiting security risks. That being said, I've created a ticket, internal ID ESECLDTPLT-2349, to revisit this issue and see what changes make sense.
cixelsyd
commented
3 years ago Excellent! I think, in terms of security, the biggest issue here for me is the STS:AssumeRole on "resource:*". If I have a role that provides full administrator access to my AWS account, I do not necessarily want someone with shell access to the F5 to be able to use the F5's access key and secret (which can be trivially-retrieved by anyone with BASH/SH access to the F5) to be able to assume that other, un-related, highly-privileged role.
Thanks. steve
On Wed, Nov 11, 2020 at 1:49 PM Shyawn Karim notifications@github.com wrote:
Thanks for these suggestions. We strive to strike a balance between ease of use and limiting security risks. That being said, I've created a ticket, internal ID ESECLDTPLT-2349, to revisit this issue and see what changes make sense.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/F5Networks/f5-aws-cloudformation/issues/139#issuecomment-725597004, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE72ZA3HNTPNVUPRCYC5DDSPLMDLANCNFSM4TC6QS3A .
-- http://linkedin.com/in/cixelsydego
(508) 372-0005 (cell)
shyawnkarim
commented
3 years ago Thanks for these additional notes; I've added them to the ticket.
shyawnkarim
commented
3 years ago STS:AssumeRole and EC2:ReplaceRoute are not needed for CFE. This will come in the next update but you can remove those for now.
shyawnkarim
commented
2 years ago Closing.
This issue was resolved in Release 5.15.0.
Do you already have an issue opened with F5 support?
I do not. This is an issue that predominantly applies to the CFT templates and the Cloud Failover Extension, and would not be covered by 'standard' bigip support.
Description
Action: "sts:AssumeRole" on Resource: "*" is extremely powerful. Depending on how the underlying software is written, it may also be completely unnecessary. Best case scenario, sts:AssumeRole should be removed. Worst case scenario, it should be moved to its own stanza and the Resource restriction should be scoped to the IAM Role ARN created by the template itself.
Action: "ec2:ReplaceRoute" is listed inside two stanzas, and one of them applies to Resource: "*". This should be removed in favor of the second reference inside the other stanza that is at least resource-restricted to the region of the bigip device.
Additionally, the CFE documentation suggests further restricting the abovementioned "ec2:ReplaceRoute" and "ec2:CreateRoute" based on Resource Tags, which seems like a good idea if for no other reason than as another safety measure to ensure the bigip device itself does not trample on a route table inside the same account+region that is associated with a completely different VPC. It is my guess that this was left off the cloudformation template simply because it would increase the number of input parameters necessary.
Template
https://github.com/F5Networks/f5-aws-cloudformation/blob/master/supported/failover/across-net/via-api/3nic/existing-stack/byol/f5-existing-stack-across-az-cluster-byol-3nic-bigip.template
and
https://github.com/F5Networks/f5-aws-cloudformation/blob/master/supported/failover/across-net/via-api/3nic/existing-stack/payg/f5-existing-stack-across-az-cluster-payg-3nic-bigip.template
... but perhaps others as well.
Severity Level
For bugs, enter the bug severity level. Do not set any labels.
Severity: 5