[CSPM Doc Update Request] - CSPM AWS - Manual deployment - Assume role- Role ARN use cases to be updated

elastic / security-docs

Elastic Security Documentation

Other

67 stars 179 forks source link

[CSPM Doc Update Request] - CSPM AWS - Manual deployment - Assume role- Role ARN use cases to be updated #4579

Open smriti0321 opened 9 months ago

smriti0321 commented 9 months ago

Current behaviour in CSPM AWS- Manual Deployment workflow has recommendation to leave Role ARN as empty, whereas the field is visible to user. After discussing with team internally, quoting few examples in following cases, where it will be relevant to fill in Role ARN:

In case the user doesn’t want to attach the role to the EC2 if other things are running on the machine and they provide credentials in Kibana and want CloudBeat to use a specific role.
If they run it as a deployment on EKS.
And more.

In documentation we can highlight these cases as examples when user would want to populate the Role ARN and not leave it empty.

Screenshot of the existing workflow: Screenshot 2023-12-25 at 16 46 54

smriti0321 commented 3 months ago

@kfirpeled Can someone from team provide other examples of when user would want to populate the Role ARN and not leave it empty. Thanks.

kfirpeled commented 2 months ago

When it comes to the credentials part, @oren-zohar 's team is the best fit to answer this one.

romulets commented 2 months ago

I have no actual knowledge about use cases.

But reading the code:

    // Assume IAM role if iam_role config parameter is given
    if beatsConfig.RoleArn != "" {
        addAssumeRoleProviderToAwsConfig(beatsConfig, &awsConfig)
    }

In case a roleArn is provided we are going to assume it, instead of using the role configured in the EC2 instance.

Therefore I assume it's a safety net for cases the EC2 instance role can't be changed. Why could not be changed? As mentioned, maybe the machine is used for multiple things. Or maybe it's a company policy to not attach roles to instances.