IAM user bcbio is created with full_admin_access

[gabeng]

Regarding the principle of least privilege it would be better to define an IAM access policy that comprises just the access rights bcbio needs. Larger organizations will never allow such a user to be created. What are the specific actions that bcbio needs to perform? I would be happy to help draft a policy that fits the purpose (and try it myself). Kind regards, Ben

[chapmanb]

Ben; We're definitely agreed that the current blanket permissions approach is terrible. Unfortunately we don't have a full set of all actions bcbio and elasticluster does to readily fix this. Is there is any way to trace this for a run or does it require a manual audit?

We haven't drilled into this more as the active area of development in bcbio is in moving away from this infrastructure by using either a simpler setup that let's people manage this themselves:

https://github.com/chapmanb/bcbio-nextgen/tree/master/scripts/ansible

and using Common Workflow Language so bcbio can leverage more actively developed infrastructure that will have finer grained control over permissions:

http://bcbio-nextgen.readthedocs.io/en/latest/contents/cwl.html

Sorry to not have a ready to go answer but hope this helps.

[gabeng]

Hi Brad,

thanks for the quick response.

• It is very simple to track API calls on AWS using CloudTrail. It's all built in.
• I agree with you that some combination of Ansible and native AWS tools may be the best choice. Since we focus on AWS, we will use CloudFormation and Ansible. For that reason, I will stop trying with bcbio-nextgen-vm and move to a local installation of bcbio on a single AWS instance. We do not have the need for a cluster anyway.