Closed dylanratcliffe closed 1 year ago
dylanratcliffe
commented
1 year ago It is possible: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html I'm currently talking to a few people to see what actually makes sense though
dylanratcliffe
commented
1 year ago Note that not all resources support Attribute Based Access Control (ABAC) which is what we are using to restrict access to tags. If the resource doesn't support it, access will be denied even if the resource is tagged correctly. You can view a list of which resources support ABAC here: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html
dylanratcliffe
commented
1 year ago It also seems that the ABAC permissions are applied to the request and not the response. So if you want to filter by VPC, you'll need to make a request that is limited to that VPC, rather than relying on AWS to limit the response to that VPC.
I do need to do some more testing make sure this is the case though
dylanratcliffe
commented
1 year ago It turns out that DescribeInstances along with most of the other Describe* functions don't support any conditional access other than ec2:Region which isn't of much use to me. To be fair DescribeInstanceAttribute does actually support a bunch of stuff, but you'd need to be able to run DescribeInstances first to get the list, which isn't granular, so it's pretty useless.
As far as I can tell IAM simply isn't granular enough to make this possible. I'm going to leave this open as I'd like to be able to find a solution, but I"m really not sure what it'll be at the moment
Some customers will have very large AWS accounts, like for example a "development" account that is used by hundreds of developers. We want to give people the ability to try out Overmind in a safe without risking bringing on the wrath of the security team.
Look into how IAM can be further restricted with not just the operations it can do, but the context within which it can do them