These are not required. For example, in the organization management account, theAWSAFTService IAM Role requires only below permissions and not * (admin):
Same is true for AWSAFTAdmin. Both AFT roles come with too much permission for what they are required to do in the vended, management and aft AWS Account.
Describe the outcome you'd like
Minimal permissions required for the account provisioning should be in place instead of
*
forAWSAFTService
andAWSAFTAdmin
IAM roles.The customer should be able to add required permissions for their own customisations if required to keep permissions minimal.
Is your feature request related to a problem you are currently experiencing? If so, please describe.
This would help ensure that least privilege principles which are best practice also from AWS side, are followed: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege Therefore mitigate risk by reducing blast radius of the AFT roles and improve security aspects of the overall solution.
Additional context
By default the framework uses admin policies for both AFT roles: Policy Definition: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/ac0facd5911e865cfe9d855c1851aff464cbd8b5/sources/aft-lambda-layer/aft_common/account_provisioning_framework.py#L49 Create Role Statement: https://github.com/aws-ia/terraform-aws-control_tower_account_factory/blob/ac0facd5911e865cfe9d855c1851aff464cbd8b5/sources/aft-lambda-layer/aft_common/account_provisioning_framework.py#L120
These are not required. For example, in the organization management account, the
AWSAFTService
IAM Role requires only below permissions and not*
(admin):Same is true for
AWSAFTAdmin
. Both AFT roles come with too much permission for what they are required to do in the vended, management and aft AWS Account.