Open benjaminsoellner opened 2 years ago
It looks like these permissions may have been added to allow for users to connect to the bastion host via SSM. This should be something that is configurable though and these permissions probably need to be audited to make sure that they are least privilege.
We could potentially add a new property configureSsmAccess
which defaults to true and sets up
these permissions. To add more restrictive permissions we would probably need to introduce a feature
flag.
Seems I found a workaround patching the CloudFormation output to modify the policy document to conform to cfn_nag (see https://docs.aws.amazon.com/cdk/v2/guide/cfn_layer.html#cfn_layer_resource).
It's actually not the wildcard in the Resource
but in Action
(-> hence, title of issue changed). If instead of allowing blanket ssmmessages:*
and ec2messages:*
you instead would configure the specific actions required you should be ok (here is a doc which those should be: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
In python in order to patch the Cfn output as long as this isn't implemented I would do (in Python):
generated_policy = [child for child in bastion_host.role.node.children if type(child) is iam.Policy][0]
generated_policy_cfn = generated_policy.node.default_child
generated_policy_cfn.add_property_override("PolicyDocument.Statement.1.Action", [
# as originally present
"ssm:UpdateInstanceInformation",
# see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsessionmanagermessagegatewayservice.html
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
# see https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonmessagedeliveryservice.html
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
])
EDIT: of course technically even though this flies under the radar of cfn_nag this is equivalent to using a wildcard, so potentially the permissions should still be narrowed down so that they are least-privilege.
The official documentation mentions least privilege which solves exactly this. https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-create-iam-instance-profile.html#create-iam-instance-profile-ssn-only
If the image below is okay, I can fix it.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:UpdateInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetEncryptionConfiguration"
],
"Resource": "*"
}
]
}
Describe the feature
The current deployment of a
aws_ec2.BastionHost(...)
deploys a CloudFormation template with an overly permissive default policy:The problem is when executing
cfn_nag
checks on the CloudFormation template:Use Case
Cloud Formation templates shouldn't allow an
"Resource": "*"
policy.Proposed Solution
The default policy should be changed to a less permissive policy, at least setting a custom role / policy like used for the
aws_ec2.Instance
construct should be allowed.Other Information
No response
Acknowledgements
CDK version used
2.24.0
Environment details (OS name and version, etc.)
Ubuntu 18.4 / NodeJS 16.15.0 / Python 3.8.13