search

jx3-gitops-repositories / jx3-terraform-eks

Jenkins X 3.x Infrastructure Git Template for Terraform and EKS for managing cloud resources
Apache License 2.0
9 stars 40 forks source link

Too much permissions with "iam::aws:policy/AmazonS3FullAccess" #11

Open rupertgti opened 3 years ago

rupertgti commented 3 years ago

Hi!

I detected that terraform use a policy iam::aws:policy/AmazonS3FullAccess that is very "strong" to do several task actions in S3 Normally these kinds of policies are blocked by security because you don't need so powerful permissions.

I detected that it only need permissions in these S3 buckets (in my case) :

            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::logs-*/*",
                "arn:aws:s3:::reports-*/*",
                "arn:aws:s3:::repository-*/*",
                "arn:aws:s3:::vault-*/*"
            ]

The role iam::aws:policy/AmazonS3FullAccess appears in these files:

.terraform/modules/eks-jx/modules/cluster/irsa.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_bucketrepo/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_cert_manager/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_cluster_autoscaler/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_cm_cainjector/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_controllerbuild/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_external_dns/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_pipeline_visualizer/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_secrets-parameter-store/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_secrets-secrets-manager/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_tekton_bot/examples/iam-group-complete/main.tf

In my case, I change in every terraform init this files with other policy name less permissive.

I think it is a good modification for security upgrade to create a less permissive policy for this point during the process or to have the possibility to specify the name of the policy in main.tf if you have already created one for it or in variables.tf the current default option.

Thank you

ankitm123 commented 3 years ago

I will change that. Thanks for the detailed issue.

ankitm123 commented 3 years ago

So, all of those roles which have wide access, also have an option where you can use ur own role (https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/variables.tf#L478), and customize it as much as u want (it's what I also do at work). So the tekton role will be used in the pipeline, and it's not possible for us to know ahead of time, what kind of things the end users will be doing with the jx pipelines (they may have tasks where they want to create a bucket, run some tests with it, and then delete it), I think that was the motivation behind some of these being wide open. For security/production purposes, I would highly recommend managing the iam roles outside of this module by setting create_tekton_role to false (in case of tekton, similar for other roles). Does this help? Also this applies only for tekton, I have to look into the other roles.

EDIT: Having said that, this does not make sense to me: https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/modules/cluster/irsa.tf#L232, and I will open a PR to fix it.

robervexcel commented 3 years ago

@ankitm123 I appreciate your opinion. By this, I would suggest permit choose the name of the policy of this S3 access if you create or use another (like vpc_id in variable.tf file or cluster_name, or other choosable options), and by default, if you don't write this, the process using iam::aws:policy/AmazonS3FullAccess

What do you think?