search

stelligent / cfn-leaprog

cfn-LEAst-Privilege-ROle-Generator: Experimental tool for generating least privileged IAM roles for CloudFormation and Service Catalog Launch Constraints.
MIT License
40 stars 6 forks source link

Permissions for infra bucket #1

Open gdelisle opened 3 years ago

gdelisle commented 3 years ago

I am seeing a couple statements like this in the infrastructure template:

            Sid: "AWSCloudTrailAclCheck"
            Effect: "Allow"
            Principal:
              AWS:
                - "arn:aws:iam::903692715234:root"
                - "arn:aws:iam::859597730677:root"
                - "arn:aws:iam::814480443879:root"
                - "arn:aws:iam::216624486486:root"
                - "arn:aws:iam::086441151436:root"
                - "arn:aws:iam::388731089494:root"
                - "arn:aws:iam::284668455005:root"
                - "arn:aws:iam::113285607260:root"
                - "arn:aws:iam::035351147821:root"
            Action: "s3:GetBucketAcl"
            Resource: !Sub "arn:aws:s3:::${CfnLeastPrivilegeRoleGeneratorBucket}"

That looks to me like full access is being given to the bucket by a whole bunch of AWS accounts that are not mine. I would presume that before I actually use this thing that these should be removed, and replaced with the IAM entities I actually want to have access the bucket? There really should be something in the instructions to that effect. It would also be nice to not need to use the root account for this, but the account I am using to run the tool.

cruizba commented 2 years ago

These are actually related with Cloudtrail: https://docs.aws.amazon.com/es_es/awscloudtrail/latest/userguide/cloudtrail-supported-regions.html