Open deniseddi opened 4 years ago
This one, yes
For this:
I guess the SGs could be more restrictive.
This one, yes
- [ one instance is fine for demonstration, ideally two instances on different AZ’s ]
For this:
- [ any security group or IAM permissions should be very restrictive with only required permissions ] I'm afraid not as we have these three IAMs permissions for TD and EC2 instances. I don't think we need all three for both. arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
I guess the SGs could be more restrictive.
I agree with Marcio! I will have a look at those sg's.
iam_policy_arn_task = ["arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess", "arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", > #"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy", "arn:aws:iam::aws:policy/CloudWatchLogsFullAccess" ]
iam_policy_arn_ec2 = ["arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceforEC2Role", **> #"arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess",
"arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"**
]
It worked for me just removing those policies... I understand the best way would be to go deeper and to set each resource to its adequate policy and action. However, let's keep fixing those other issues once this one takes to long to verify what the action and the policy are.
Are we good with those?
Requirements: