search

devopsacademyau / 2020-feb-project1-group2

Creative Commons Attribution Share Alike 4.0 International
0 stars 2 forks source link

ECS Cluster #8 in "Done" #85

Open deniseddi opened 4 years ago

deniseddi commented 4 years ago

Are we good with those?

Requirements:

faria-marcio commented 4 years ago

This one, yes

For this:

I guess the SGs could be more restrictive.

drii-cavalcanti commented 4 years ago

This one, yes

  • [ one instance is fine for demonstration, ideally two instances on different AZ’s ]

For this:

  • [ any security group or IAM permissions should be very restrictive with only required permissions ] I'm afraid not as we have these three IAMs permissions for TD and EC2 instances. I don't think we need all three for both. arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"

I guess the SGs could be more restrictive.

I agree with Marcio! I will have a look at those sg's.

drii-cavalcanti commented 4 years ago

iam_policy_arn_task = ["arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", > #"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" ]

iam_policy_arn_ec2 = ["arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", **> #"arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess",

"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"**

                    ]

It worked for me just removing those policies... I understand the best way would be to go deeper and to set each resource to its adequate policy and action. However, let's keep fixing those other issues once this one takes to long to verify what the action and the policy are.