Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

IAM Policy Updates #516

Open
wants to merge 4 commits into
base: master
Choose a base branch
from

Conversation

k-paulius
Copy link
Contributor

I would like to propose following changes to tighten IAM policies. None of these changes should have any noticeable effect.

  • Current S3 state bucket policy does not actually do anything because the bucket and principals accessing it are in the same account, so effective permissions are granted by identity policy and not the bucket policy. Removing it simply reduces the amount of policies that need to be audited.
  • Adding "aws:SourceArn" helps mitigate confused deputy attacks. We explicitly specify resources that can assume that role.
  • Adding permissions to OrgBuildRole helps CodeBuild to continue running successfully even if AdministratorAccess access policy is removed from that role.

…e it grants permission to account bucket is owned by. Access to this bucket is actually managed via identity policies.
…ineEventRuleRole trust policies to mitigate confused deputy attacks.

Note: CodePipeline does not support "aws:SourceArn" condition as of this time.
…ratorAccess policy:

- ec2:DescribeRegions
- assume role "OrganizationFormationBuildAccessRole" in all organization accounts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant