Open PhilDakin opened 5 months ago
Likely resolution - simply grant my user fairly broad permissions for the services required by the templates, which seems OK for an admin account.
First, I encountered a couple issues:
1 - iam:CreateVirtualMFADevice policy resource seems wrong, don’t think mfa/username makes sense, just mfa/ (per link). 2 - The specifications `"Resource": "arn:aws:sts::ACCOUNT:”
seem incorrect, they should just be
"Resource": "*"` (they don’t work otherwise).
I ran into this as well and also found the referenced link. I separated this out from the rest of the permissions or :
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice"
],
"Resource": "arn:aws:iam::123456789012:mfa/*"
}
The arn:aws:sts::123456789012:*
seemed to work just fine though. But, I will update if I find any issues related to this.
I am also confused on the separation of user privileges, but thought the same in relation to admin permissions which would likely be used for deploying the templates.
In addition to CloudTrail enabled, should we also be enabling AWS Config, AWS Security Hub, and AWS Audit Manager?
Thank you for putting this together @g-borgulya.
Per https://github.com/WaffleCodeApp/waffle-templates/blob/main/setting_up_aws.md:
Then, the guide provides some default IAM permissions and MFA settings to apply to the user.
First, I encountered a couple issues:
1 - iam:CreateVirtualMFADevice policy resource seems wrong, don’t think mfa/username makes sense, just mfa/ (per link). 2 - The specifications `"Resource": "arn:aws:sts::ACCOUNT:”
seem incorrect, they should just be
"Resource": "*"` (they don’t work otherwise).Additionally, something that is not clear to me from the documentation is that I am supposed to use my non-root account to deploy this cloud infrastructure, but deploying these templates will require a bunch of permissions - are users left on their own for initializing their non-root account permissions to support the templates? Feels doable quickly with e.g. ChatGPT extraction, but is a bit unclear.