search

awslabs / landing-zone-accelerator-on-aws

Deploy a multi-account cloud foundation to support highly-regulated workloads and complex compliance requirements.
https://aws.amazon.com/solutions/implementations/landing-zone-accelerator-on-aws/
Apache License 2.0
541 stars 431 forks source link

Service roles for CloudFormation #286

Closed bakharzy closed 4 months ago

bakharzy commented 1 year ago

Is your feature request related to a problem? Please describe.

I am looking into creating a service role for CloudFormation to create/update the "AWSAccelerator-InstallerStack.template". The service role is assumed by CloudFormation and has necessary permissions to run a stack.

Service role: https://docs.aws.amazon.com/prescriptive-guidance/latest/least-privilege-cloudformation/service-roles-for-cloudformation.html

Describe the feature you'd like I want to follow the least privilege principle. Therefore, I would need the permissions that the CloudFormation require to run the template. Where can I find a list of those permissions to use on my service role?

richardkeit commented 12 months ago

Hi @bakharzy ,

I hope this helps you. Obviously you can strip out the github actions references

  Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
          - Effect: Allow
            Action: sts:AssumeRoleWithWebIdentity
            Principal:
              Federated: !If
                - CreateOIDCProvider
                - !Ref GithubOidc
                - !Ref OIDCProviderArn
            Condition:
              StringLike:
                token.actions.githubusercontent.com:sub: !Sub repo:${GithubRepository}:*
      ManagedPolicyArns:
        # Used for Github PAT
        - arn:aws:iam::aws:policy/SecretsManagerReadWrite
      Policies:
        - PolicyName: LZA
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: Allow
                Action:
                  - s3:CreateBucket
                  - s3:DeleteBucket
                  - s3:SetBucketEncryption
                  - s3:DeleteBucketPolicy
                  - s3:Put*
                  - s3:Object*
                  - s3:Get*
                  - s3:List*
                  - s3:Set*
                Resource:
                  - arn:aws:s3:::aws*
              - Sid: PackageDeploy
                Effect: Allow
                Action:
                  - iam:TagRole
                  - iam:UntagRole
                Resource: "*"
              - Sid: Codepipeline
                Effect: Allow
                Action: codepipeline:*
                Resource: !Sub arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*
              - Effect: Allow
                Action:
                  - logs:*
                Resource:
                  - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/lambda/AWSAccelerator*
              - Effect: Allow
                Action:
                  - events:PutRule
                  - events:DescribeRule
                  - events:DeleteRule
                  - events:RemoveTargets
                  - events:PutTargets
                Resource: !Sub arn:aws:events:${AWS::Region}:${AWS::AccountId}:rule/AWSAccelerator*
              - Effect: Allow
                Action:
                  - codebuild:*
                Resource:
                  - !Sub arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/AWSAccelerator*
              - Effect: Allow
                Action:
                  - codecommit:*
                Resource:
                  - !Sub arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:*
              - Sid: PackageDeploySsm
                Effect: Allow
                Action:
                  - ssm:*
                Resource:
                  - !Sub arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/accelerator*
              - Effect: Allow
                Action:
                  - lambda:GetFunction
                  - lambda:CreateFunction
                  - lambda:DeleteFunction
                  - lambda:GetFunctionConfiguration
                  - lambda:AddPermission
                  - lambda:RemovePermission
                  - lambda:InvokeFunction
                  - lambda:UpdateFunctionCode
                  - lambda:UpdateFunctionConfiguration
                  - lambda:ListTags
                  - lambda:TagResource
                  - lambda:UntagResource
                Resource:
                  - !Sub arn:aws:lambda:${AWS::Region}:${AWS::AccountId}:function:AWSAccelerator*
              - Effect: Allow
                Action:
                  - kms:*
                Resource:
                  - "*"
              - Effect: Allow
                Action:
                  - cloudformation:*
                Resource:
                  - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/AWSAccelerator-*
                  - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/github-permissions*
                  - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/github-pat*
                  - !Sub arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/control-tower-kms*
                  - !Sub arn:aws:cloudformation:${AWS::Region}:aws:transform/*
              - Effect: Allow
                Action:
                  - iam:GetOpenIDConnectProvider
                  - iam:ListOpenIDConnectProviders
                  - iam:ListOpenIDConnectProviderTags
                  - iam:TagOpenIDConnectProvider
                  - iam:UntagOpenIDConnectProvider
                  - iam:AddClientIDToOpenIDConnectProvider
                  - iam:RemoveClientIDFromOpenIDConnectProvider
                  - iam:UpdateOpenIDConnectProviderThumbprint
                Resource: !Sub arn:aws:iam::${AWS::AccountId}:oidc-provider/token.actions.githubusercontent.com
              - Effect: Allow
                Action:
                  - iam:UpdateAssumeRolePolicy
                  - iam:AddRoleToInstanceProfile
                  - iam:AttachRolePolicy
                  - iam:CreateInstanceProfile
                  - iam:CreateRole
                  - iam:Get*
                  - iam:PassRole
                  - iam:CreatePolicy
                  - iam:DeleteInstanceProfile
                  - iam:DeleteRole
                  - iam:DetachRolePolicy
                  - iam:RemoveRoleFromInstanceProfile
                  - iam:UpdateRole
                  - iam:DeleteRolePolicy
                  - iam:PutRolePolicy
                  - iam:CreatePolicyVersion # ManagedPolicy
                  - iam:DeletePolicyVersion # ManagedPolicy
                  - iam:DeletePolicy # ManagedPolicy
                  - iam:ListPolicyVersions
                  - iam:TagRole
                  - iam:UntagRole
                  - iam:UpdateAssumeRolePolicy
                Resource:
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/AWSAccelerator*
                  - !Sub arn:aws:iam::${AWS::AccountId}:policy/AWSAccelerator*
                  - !Sub arn:aws:iam::${AWS::AccountId}:role/github-permissions*
                  - !Sub arn:aws:iam::${AWS::AccountId}:policy/github-permissions*