PaloAltoNetworks / terraform-aws-swfw-modules

Terraform Reusable Modules for Software Firewalls on AWS
https://registry.terraform.io/modules/PaloAltoNetworks/swfw-modules/aws
MIT License
14 stars 11 forks source link

Enhance the IAM Policy Permissions for Auto Scaling #24

Open migara opened 8 months ago

migara commented 8 months ago

The current lambda function used for auto scaling is attached with an IAM policy which is not constrained to specific resources. The intention of this effort is to check if we can tighten the policy based on resource tags

https://github.com/PaloAltoNetworks/terraform-aws-swfw-modules/pull/8#pullrequestreview-1855805977

Example

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances",
                "ec2:StopInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringEquals": {"aws:ResourceTag/Owner": "${aws:username}"}
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:DescribeInstances",
            "Resource": "*"
        }
    ]
}
migara commented 5 months ago

The plan is to restrict the resource access to something more specific