search

aws-ia / terraform-aws-control_tower_account_factory

AWS Control Tower Account Factory
Apache License 2.0
604 stars 386 forks source link

Least privilege principle for AFT roles #431

Open awsome-user opened 4 months ago

awsome-user commented 4 months ago

Describe the outcome you'd like

Minimal permissions required for the account provisioning should be in place instead of * for AWSAFTService and AWSAFTAdmin IAM roles.

The customer should be able to add required permissions for their own customisations if required to keep permissions minimal.

Is your feature request related to a problem you are currently experiencing? If so, please describe.

This would help ensure that least privilege principles which are best practice also from AWS side, are followed: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege Therefore mitigate risk by reducing blast radius of the AFT roles and improve security aspects of the overall solution.

Additional context

By default the framework uses admin policies for both AFT roles: Policy Definition: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/ac0facd5911e865cfe9d855c1851aff464cbd8b5/sources/aft-lambda-layer/aft_common/account_provisioning_framework.py#L49 Create Role Statement: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/ac0facd5911e865cfe9d855c1851aff464cbd8b5/sources/aft-lambda-layer/aft_common/account_provisioning_framework.py#L120

These are not required. For example, in the organization management account, theAWSAFTService IAM Role requires only below permissions and not * (admin):

          "servicecatalog:ScanProvisionedProducts",
          "servicecatalog:ListPortfolios",
          "servicecatalog:DescribeProductAsAdmin",
          "servicecatalog:AssociatePrincipalWithPortfolio",
          "servicecatalog:ProvisionProduct",
          "servicecatalog:DescribeProvisioningArtifact",
          "servicecatalog:GetProvisionedProductOutputs",
          "servicecatalog:SearchProvisionedProducts",
          "iam:GetRole",
          "sts:GetCallerIdentity",
          "sts:AssumeRole",
          "organizations:DescribeAccount",
          "organizations:ListParents",
          "organizations:ListAccounts",
          "organizations:TagResource",
          "organizations:UntagResource",
          "config:DescribeConfigurationRecorders",
          "cloudformation:GetTemplateSummary",
          "controltower:CreateManagedAccount",
          "controltower:DescribeManagedAccount"

Same is true for AWSAFTAdmin. Both AFT roles come with too much permission for what they are required to do in the vended, management and aft AWS Account.

Sanjan611 commented 4 months ago

Hi @awsome-user , thanks for identifying this and for scoping down the permissions for us. I've added this to our backlog.