🔒 Improve AWS Cloud IAM policy security #839
Conversation
- Scope IAM roles and instance profiles to TowerForge* prefix - Add resource-level restrictions for EC2 operations - Split launch policy into granular statements with conditions - Restrict instance operations to TowerForge-* tagged resources 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
✅ Deploy Preview for seqera-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Thanks, @kenibrewer! Adding Georgi for a dev review and then good to merge. |
georgi-seqera
left a comment
georgi-seqera
left a comment
There was a problem hiding this comment.
At a glance looks good to me, but I've not really been involved in the AWS Cloud CE work, so I'll defer to @stefanoboriero who is more familiar with the resource management of the AWS Cloud CE
|
Do the same changes need to be made for Enterprise docs too? Or are the pages linked? |
stefanoboriero
left a comment
stefanoboriero
left a comment
There was a problem hiding this comment.
The main reason why I didn't scope them down by prefix in the docs is that the prefix is actually configurable by Enterprise users (see TOWER_FORGE_PREFIX in https://docs.seqera.io/platform-enterprise/enterprise/configuration/overview), and I wanted to be as generic as possible. If we want to add this to the docs, we should be clear that if you override the default forge prefix this permissions cannot be copy-pasted.
| "arn:aws:ec2:*:*:instance/*", | ||
| "arn:aws:ec2:*:*:volume/*", | ||
| "arn:aws:ec2:*:*:network-interface/*", | ||
| "arn:aws:ec2:*:*:subnet/*", | ||
| "arn:aws:ec2:*:*:security-group/*", | ||
| "arn:aws:ec2:*:*:key-pair/*", | ||
| "arn:aws:ec2:*:*:image/*" |
There was a problem hiding this comment.
Is this really any different than using *? Actions are anyhow not applicable to all resource types, so defining individual resource types still with a star permission doesn't seem to change much the scope of the actual permissions.
For example, with the current config I can't use ec2:RunInstances on a Kinesis stream, because the action already carries the scope of what resource type it can be taken against.
On the other hand I get this might have a placebo effect if someone reads it through without giving it much thought, it seems more scoped.
There was a problem hiding this comment.
Can this be addressed in a separate PR? Or is it a blocker to merging this PR?
| "Sid": "AwsCloudLaunchInstances", | ||
| "Effect": "Allow", | ||
| "Action": [ | ||
| "ec2:DescribeInstances", |
There was a problem hiding this comment.
Did you test this? AWS Docs say that using the ec2:ResourceTag/Name condition key is not supported for action ec2:DescribeInstances. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions.
There was a problem hiding this comment.
@kenibrewer, following up on this so we can merge this PR. :)
|
I don't have the bandwidth to bring this PR to completion. Can someone else work on this and ping me for a review so I can ensure it meets pre-sales needs? Addressing the specific feedback. It is VERY IMPORTANT in my view to scope things using the To address the |
I'll pick this up and ping you for review |
|
@stefanoboriero @justinegeffen Can we get this re-reviewed and merged? |
justinegeffen
added
the
additional work req.
Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
justinegeffen
removed
the
additional work req.
justinegeffen
added
1. Editor review
|
@stefanoboriero, if you have bandwidth to do another review of this PR that would be super helpful. :) |
|
Could we please get this merged? It's been open for almost three months. Thanks! |
|
@robnewman @kenibrewer I believe this is superseded by |
There was a problem hiding this comment.
#941 and #943 are updating the AWS Batch CE policy, this PR is updating the AWS Cloud CE policy
I agree with the comments from Stefano, many changes are just aestethic, they aren't limiting or improving the policy.
In #941 and #943 I added a copy-pasteable policy with wide-open permissions for AWS Batch CEs, and I then commented each section in it to reduce the scope of each section according to the needs of each customer. I can replicate it for AWS Cloud CEs too.
I think we should mirror these changes (with the caveat of the TOWER_FORGE_PREFIX env var) in the Enterprise docs too.
Co-authored-by: Alberto Chiusole <1922124+bebosudo@users.noreply.github.com> Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
Co-authored-by: Alberto Chiusole <1922124+bebosudo@users.noreply.github.com> Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
Co-authored-by: Alberto Chiusole <1922124+bebosudo@users.noreply.github.com> Signed-off-by: Justine Geffen <justinegeffen@users.noreply.github.com>
|
@bebosudo, @kenibrewer, @stefanoboriero:
|
justinegeffen
removed
the
additional work req.
|
Point taken about some of the |
Thanks Ken, and thank you for this PR - it's really helpful :). I've reconsidered the "out of scope" process that I mentioned above and I will make separate issues for them, after which the team will assess and prioritize them. So, nothing more for you to do but we may ping you for review on some of the improvements. :) |
Summary
TowerForge*prefix instead of wildcard resourcesTowerForge-*instance namingTest plan
🤖 Generated with Claude Code