search

salesforce / aws-allowlister

Automatically compile an AWS Service Control Policy that ONLY allows AWS services that are compliant with your preferred compliance frameworks.
MIT License
223 stars 34 forks source link

ssmmessages and ec2messages not included - seeking input on status with different frameworks #48

Closed kmcquade closed 3 years ago

kmcquade commented 3 years ago

I'd like some feedback from others, please. See the diffchecker between All Services vs. aws-allowlister generate: https://www.diffchecker.com/nXTPUgkL

Notice that ssmmessages and ec2messages is not in the policy. This could cause issues for those who rely on SSM heavily.

Relevant links: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html

If so, we need to specify those services in the overrides file. https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml

yi2020 commented 3 years ago

I haven't read through all the code here (yet) but I would expect to see a "dependency" mapping. Essentially, saying that ec2 requires ec2messages, for example. The overrides file is more of a translation from one term to another (for example sdk to iam), and could be (ab)used to achieve that, but you may want to be more specific about it.

Generally, people are not great at understanding the complexity of these relationships, and you'd want to build them straight into the tool. (my $0.02)

kmcquade commented 3 years ago

@yi2020 - I think the overrides file somewhat achieves that.

https://github.com/salesforce/aws-allowlister/blob/main/aws_allowlister/data/overrides.yml#L6-L27

For instance: 

service_names_to_iam_names:
  Amazon Elastic Compute Cloud:
  - ec2
  - ec2messages
sdk_names_to_iam_names:
  ssm:
  - ssm
  - ssm-messages

Something like that. I'm thinking we should do something like the example YAML that I included above.

could be (ab)used to achieve that

We don't provide the ability to use your own overrides file for that very reason - the idea is that you could make a PR or maintain your own fork if you felt strongly about it.

Edit: If someone still wanted a service added on anyway, they could include it with the --include flag. This is especially useful if you were able to get AWS to let you use zelkova directly

kmcquade commented 3 years ago

@jdyke FYI

yi2020 commented 3 years ago

In sdk_names_to_iam_names, don't you also need to add ec2messages under ec2?

AMHesch commented 3 years ago

I think the overrides file handles this fairly well for the collection of features of the various services and their mappings... there are additional overrides that are going to appear over time as new features are added. ec2messages and ssmmessages are good examples.

Another decent example is moving rds-data from Global to Aurora (since this if for the Aurora Serverless Data API). Let people file a PR (or fork it as you said) to fix these things as they come up.

kmcquade commented 3 years ago

@AMHesch - for rds-data: thanks for pointing that out. I will open up a separate issue to change that one

kmcquade commented 3 years ago

@yi2020 yep, I will.

Do you think I should add ssmmessages as well?

yi2020 commented 3 years ago

Technically ssmmessages would be if using ssm right? Are you suggesting adding it for ec2?

jdyke commented 3 years ago

I agree with whats been stated here, I see the override file working nicely for that purpose