jantman
commented
4 years ago @bergkampsliew Thanks for bringing this to my attention.
I'm going to need to dig into this a bit more... as of the last time I looked into this (when 8.0.0 was released on November 3, 2019) Trusted Advisor is only still needed for 2 things:
- GovCloud and China regions/partitions
- SES sending quota
If Service Quotas now has support for SES limits, it's probably worth limiting Trusted Advisor to only run in regions/partitions that require it, and removing the support/TA permissions alltogether.
That being said, the recommended IAM policy for awslimitchecker is just that, recommended. You can certainly make those changes to lock down the support API in your own deployment, but I likely won't cut a new release just for this update.
bergkampsliew
Based on the required IAM permissions to run awslimitchecker as documented https://awslimitchecker.readthedocs.io/en/latest/iam_policy.html the list has support:* and that will allow case creation and other write actions https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssupport.html
While older ticket https://github.com/jantman/awslimitchecker/issues/39 mentioned about the requirement of having support:* , but I don't read that anymore in the latest documentation. [1] https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssupport.html [2] https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awstrustedadvisor.html
Suggestion is to only include required actions for trustedadvisor purpose as below. support:DescribeTrustedAdvisorCheckRefreshStatuses support:DescribeTrustedAdvisorCheckResult support:DescribeTrustedAdvisorCheckSummaries support:DescribeTrustedAdvisorChecks support:RefreshTrustedAdvisorCheck
On the same note (based on [1]) , noticed this line - "The "trustedadvisor:" actions apply only to Trusted Advisor in the AWS Console. " I believe awslimitchecker does not need "console access" ? hence, below actions can be removed from the IAM actions list? "trustedadvisor:Describe", "trustedadvisor:RefreshCheck"