search

mattclay / aws-terminator

An AWS Lambda function for cleaning up AWS resources.
Apache License 2.0
23 stars 49 forks source link

Review Permission Policies for Unsupported Condition Keys #308

Open mattclay opened 1 month ago

mattclay commented 1 month ago

The following notice was received from AWS regarding the account used to run integration tests:

We are contacting you because of a change we are making to Amazon Elastic Block Store (Amazon EBS) and the CreateVolume and CopySnapshot. To allow for more finely grained access controls, beginning October 14, 2024, we are launching support for AWS global condition keys and these seven EC2-specific keys for the source snapshot in your CopySnapshot and CreateVolume requests: ec2:ProductCode, ec2:Encrypted, ec2:VolumeSize, ec2:ParentSnapshot, ec2:Owner, ec2:ParentVolume and ec2:SnapshotTime. We identified your account has made calls to the CreateVolume or CopySnapshot with a permission policy currently using these condition keys, which we do not enforce in the above APIs following IAM policies. Therefore, at this time, calls to these APIs may be allowed, but after October 14, 2024, they may be denied based on the condition key rule set you have defined in your policies.

We recommend you take the following action by October 14, 2024 as calls to these APIs may fail because the condition keys will now be enforced:

Review your AWS CloudTrail logs for calls made to this API using the unsupported condition keys to ensure those calls succeeded as intended.

Check that your condition keys are configured appropriately. For example, if you allow principals to copy snapshots only if the source snapshot's owner is created with assigned EC2 account owner ec2:Owner (for example, ec2:Owner = account-id-2). Please review your allocated account holder is correct or shall be updated.

For a list of the supported condition keys, please refer to the "Actions, resources, and condition keys for Amazon EC2" documentation [1].

If you have any questions or concerns, please contact Amazon Web Services Support [2].

[1] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html [2] https://aws.amazon.com/contact-us/

mattclay commented 1 month ago

@gravesm Can you investigate this to see if there will be any impact to the tests?

gravesm commented 1 month ago

I can't find that we're using any of these conditions, so it doesn't look to me like this change will affect anything. I asked @GomathiselviS and @alinabuzachis to also take a look at this, though.

GomathiselviS commented 1 month ago

I can't find any of our tests utilizing these condition keys.