WaffleCodeApp / waffle-templates

A set of AWS CloudFormation templates for secure web applications
MIT License
9 stars 0 forks source link

User Permissions #1

Open PhilDakin opened 5 months ago

PhilDakin commented 5 months ago

Per https://github.com/WaffleCodeApp/waffle-templates/blob/main/setting_up_aws.md:

It's highly recommended not to use your AWS account with you root access. You can create a user with the least required permissions in the AWS Console > IAM. Once you created a user that you'll use for deploying the templates in this repo, it's strongly recommended to turn on MFA for them. The users can turn this on for themselves.

Then, the guide provides some default IAM permissions and MFA settings to apply to the user.

First, I encountered a couple issues:

1 - iam:CreateVirtualMFADevice policy resource seems wrong, don’t think mfa/username makes sense, just mfa/ (per link). 2 - The specifications `"Resource": "arn:aws:sts::ACCOUNT:seem incorrect, they should just be"Resource": "*"` (they don’t work otherwise).

Additionally, something that is not clear to me from the documentation is that I am supposed to use my non-root account to deploy this cloud infrastructure, but deploying these templates will require a bunch of permissions - are users left on their own for initializing their non-root account permissions to support the templates? Feels doable quickly with e.g. ChatGPT extraction, but is a bit unclear.

PhilDakin commented 5 months ago

Likely resolution - simply grant my user fairly broad permissions for the services required by the templates, which seems OK for an admin account.

jamesmalin commented 2 months ago

First, I encountered a couple issues:

1 - iam:CreateVirtualMFADevice policy resource seems wrong, don’t think mfa/username makes sense, just mfa/ (per link). 2 - The specifications `"Resource": "arn:aws:sts::ACCOUNT:seem incorrect, they should just be"Resource": "*"` (they don’t work otherwise).

I ran into this as well and also found the referenced link. I separated this out from the rest of the permissions or :

{
    "Sid": "AllowManageOwnVirtualMFADevice",
    "Effect": "Allow",
    "Action": [
        "iam:CreateVirtualMFADevice"
    ],
    "Resource": "arn:aws:iam::123456789012:mfa/*"
}

The arn:aws:sts::123456789012:* seemed to work just fine though. But, I will update if I find any issues related to this.

I am also confused on the separation of user privileges, but thought the same in relation to admin permissions which would likely be used for deploying the templates.

In addition to CloudTrail enabled, should we also be enabling AWS Config, AWS Security Hub, and AWS Audit Manager?

Thank you for putting this together @g-borgulya.