feat: permission restriction release (#449)

* refactor: restrict sc roles (#412)

* Restrict iam permission to SWB resources

* Restrict Launch constraint role 

* Update envmgmt, cross account envmgmt, add permissions boundary

Co-authored-by: zheyanyu <[email protected]>

* feat: branch develop sync (#430)

* chore: sync with mainline

* refactor: Remove permission boundary condition on launch constraint role (#433)

* docs: add instructions for updating launch constraint role
* refactor: remove condition in launch constraint role for backward compatibility
* By removing permission boundary condition, the changes on launch constraint role will be backward compatible to existing default SC products 

Co-authored-by: zheyanyu <[email protected]>

* refactor: restricting AppDeployer permissions (#431)

Co-authored-by: Jeet <[email protected]>

* fix: adding deny for appDeployer perm restrict (#437)

* fix: adding deny for appDeployer perm restrict

* fix: adding KMS perms for AppDeployer

* fix: allow workflow runner access to master role (#444)

* fix: adding s3 resources for appdeployer (#445)

* chore: Update PolicyAppDeployer IAM permission (#446)

Co-authored-by: Tim Nguyen <[email protected]>

* Update changelog for version 3.0.0

Co-authored-by: Yanyu Zheng <[email protected]>
Co-authored-by: zheyanyu <[email protected]>
Co-authored-by: Sanket Dharwadkar <[email protected]>
Co-authored-by: Jeet <[email protected]>
Co-authored-by: Tim Nguyen <[email protected]>

CHANGELOG.md

@@ -1,6 +1,24 @@
 # Changelog
 
 All notable changes to this project will be documented in this file.
+## [3.0.0] - 2021-04-19
+
+### Added
+- refactor: restricting AppDeployer permissions
+- refactor: Remove permission boundary condition on launch constraint role
+- refactor: restrict sc roles
+
+**Permissions boundaries are being added to the several important IAM roles used by Service Workbench as a security best practice.**
+
+**Customer Impact:** Below outlines the actions required for you to successfully adopt this security enhancement. The first two items are applicable to all customers. If you have created custom workspace types, then all three items below are applicable.
+
+1. After running the update, onboard all hosting accounts once again to benefit from the enhanced security, and test the application.
+**Note:** The attached pdf contains steps for onboarding hosting accounts, contact your Service Workbench Administrator if you have not performed these steps before.
+
+2. After running the update, import and use the newly available Service Catalog product versions for workspace types (latest version numbers) to benefit from the enhanced security.
+
+3. **ONLY Customers that have created custom workspace types:** It is possible that the permissions boundaries would prevent actions that were formerly allowed. You should plan to validate your custom workspace types after the update. Issues should be addressed by modifying the custom workspaces to work within the permissions granted, or modify the permissions boundary for your installation (this would require a change to Service Workbench code (specifically the IAM policies that are attached as the permissions boundary) for your install).
+Note: Any existing custom or non-custom workspaces types (for example, EC2 Linux/Windows, EMR, SageMaker, R Studio) are not impacted by this upgrade.
 
 ## [2.2.0] - 2021-04-12
 

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml

@@ -113,9 +113,8 @@ Resources:
             Statement:
               - Effect: Allow
                 Action:
-                  - cloudformation:ListStackResources
                   - cloudformation:GetTemplate
-                Resource: '*'
+                Resource: 'arn:aws:cloudformation:*:*:stack/SC-*/*'
         - PolicyName: ssm-access
           PolicyDocument:
             Statement:
@@ -125,34 +124,29 @@ Resources:
                 - ssm:GetParameter
                 - ssm:GetParameters
                 - ssm:DeleteParameter
-              Resource: '*'
-        - PolicyName: cost-explorer-access
-          PolicyDocument:
-            Statement:
-              Effect: Allow
-              Action:
-                - ce:*
-              Resource: '*'
+              Resource:
+                - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*/sc-environments/*'
         - PolicyName: s3-access
           PolicyDocument:
             Statement:
               Effect: Allow
               Action:
-                - s3:*
-              Resource: '*'
+                - s3:GetObject
+              Resource:
+                - 'arn:aws:s3:::cf-templates-*/*'
         - PolicyName: sagemaker-access
           PolicyDocument:
             Statement:
               Effect: Allow
               Action:
-                - sagemaker:*
+                - sagemaker:CreatePresignedNotebookInstanceUrl
+                - sagemaker:ListNotebookInstances
               Resource: '*'
         - PolicyName: iam-role-access
           PolicyDocument:
             Statement:
               - Effect: Allow
                 Action:
-                  - iam:GetRole
                   - iam:CreateRole
                   - iam:TagRole
                   - iam:GetRolePolicy
@@ -165,17 +159,68 @@ Resources:
                   - iam:AttachRolePolicy
                   - iam:DetachRolePolicy
                 Resource:
-                  - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}'
-              - Effect: Allow
-                Action:
-                  - iam:CreatePolicy
-                  - iam:GetPolicy
-                  - iam:GetPolicyVersion
-                  - iam:ListPolicyVersions
-                  - iam:DeletePolicy
-                  - iam:DeletePolicyVersion
-                Resource:
-                  - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${LaunchConstraintPolicyPrefix}'
+                  - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}LaunchConstraint'
+      PermissionsBoundary: !Ref CrossAccountEnvMgmtPermissionsBoundary
+
+  CrossAccountEnvMgmtPermissionsBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission boundary for cross account EnvMgmt role
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - s3:*
+              - cloudformation:*
+              - sagemaker:*
+              - ec2:*
+              - ssm:*
+              - config:*
+              - servicecatalog:*
+              - ec2-instance-connect:*
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource: '*'
+            Condition:
+              StringEquals:
+                iam:PassedToService: 'servicecatalog.amazonaws.com'
+          - Effect: Allow
+            Action:
+              - iam:CreateRole
+              - iam:TagRole
+              - iam:GetRolePolicy
+              - iam:PutRolePolicy
+              - iam:DeleteRolePolicy
+              - iam:ListRolePolicies
+              - iam:ListAttachedRolePolicies
+              - iam:UpdateAssumeRolePolicy
+              - iam:UpdateRoleDescription
+              - iam:AttachRolePolicy
+              - iam:DetachRolePolicy
+            Resource:
+              - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}'
+          - Effect: Allow
+            Action:
+              - iam:CreatePolicy
+              - iam:GetPolicy
+              - iam:GetPolicyVersion
+              - iam:ListPolicyVersions
+              - iam:DeletePolicy
+              - iam:DeletePolicyVersion
+            Resource:
+              - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${LaunchConstraintPolicyPrefix}'
+          - Effect: Allow
+            Action:
+              - iam:GetGroup
+              - iam:GetRole
+              - iam:GetUser
+              - iam:ListGroups
+              - iam:ListRoles
+              - iam:ListUsers
+            Resource: '*' # These non-mutating IAM actions cover the permissions in managed policy AWSServiceCatalogAdminFullAccess
 
   PolicyCrossAccountExecution:
     Type: AWS::IAM::ManagedPolicy

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml

@@ -41,6 +41,26 @@ Conditions:
   IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
 
 Resources:
+  InstanceRolePermissionBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission boundary for EC2 instance role
+      ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-linux-permission-boundary']]
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'kms:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'sts:AssumeRole'
+            Resource: 'arn:aws:iam::*:role/swb-*'
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -81,6 +101,7 @@ Resources:
                     s3:prefix: !Sub
                       - '${S3Prefix}/*'
                       - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]]
+      PermissionsBoundary: !Ref InstanceRolePermissionBoundary
 
   InstanceProfile:
     Type: 'AWS::IAM::InstanceProfile'

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml

@@ -44,6 +44,27 @@ Conditions:
   IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
 
 Resources:
+  InstanceRolePermissionBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission boundary for EC2 instance role
+      ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-rstudio-permission-boundary']]
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:*'
+              - 'ssm:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'kms:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'sts:AssumeRole'
+            Resource: 'arn:aws:iam::*:role/swb-*'
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -93,6 +114,7 @@ Resources:
                   - 'ssm:GetParameter'
                   - 'ssm:PutParameter'
                 Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*'
+      PermissionsBoundary: !Ref InstanceRolePermissionBoundary
 
   InstanceProfile:
     Type: 'AWS::IAM::InstanceProfile'

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml

@@ -63,6 +63,26 @@ Conditions:
   IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}']
 
 Resources:
+  InstanceRolePermissionBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission boundary for EC2 instance role
+      ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-windows-permission-boundary']]
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'kms:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'sts:AssumeRole'
+            Resource: 'arn:aws:iam::*:role/swb-*'
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -103,6 +123,7 @@ Resources:
                     s3:prefix: !Sub
                       - '${S3Prefix}/*'
                       - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]]
+      PermissionsBoundary: !Ref InstanceRolePermissionBoundary
 
   InstanceProfile:
     Type: 'AWS::IAM::InstanceProfile'

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml

@@ -124,6 +124,27 @@ Resources:
         - Ref: Ec2Role
     Type: AWS::IAM::InstanceProfile
 
+  InstanceRolePermissionBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission boundary for EC2 instance role
+      ManagedPolicyName: !Join ['-', [Ref: Namespace, 'emr-permission-boundary']]
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'kms:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'sts:AssumeRole'
+            Resource: 'arn:aws:iam::*:role/swb-*'
+
   Ec2Role:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -166,6 +187,7 @@ Resources:
                     s3:prefix: !Sub
                       - '${S3Prefix}/*'
                       - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]]
+      PermissionsBoundary: !Ref InstanceRolePermissionBoundary
 
   ServiceRole:
     Type: AWS::IAM::Role
@@ -182,6 +204,7 @@ Resources:
         Version: '2012-10-17'
       ManagedPolicyArns:
         - arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole
+      PermissionsBoundary: arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole
 
   EmrSecurityConfiguration:
     Type: AWS::EMR::SecurityConfiguration

addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml

@@ -52,7 +52,27 @@ Resources:
           FromPort: 443
           ToPort: 443
           CidrIp: !Ref AccessFromCIDRBlock
-
+  InstanceRolePermissionBoundary:
+    Type: AWS::IAM::ManagedPolicy
+    Properties:
+      Description: Permission boundary for EC2 instance role
+      ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-sagemaker-permission-boundary']]
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: Allow
+            Action:
+              - 's3:*'
+              - 'logs:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'kms:*'
+            Resource: '*'
+          - Effect: Allow
+            Action:
+              - 'sts:AssumeRole'
+            Resource: 'arn:aws:iam::*:role/swb-*'
   IAMRole:
     Type: 'AWS::IAM::Role'
     Properties:
@@ -93,7 +113,6 @@ Resources:
                     s3:prefix: !Sub
                       - '${S3Prefix}/*'
                       - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]]
-
         - PolicyName: cw-logs
           PolicyDocument:
             Statement:
@@ -105,6 +124,7 @@ Resources:
                 - logs:CreateLogGroup
               Resource:
                 - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/sagemaker/*
+      PermissionsBoundary: !Ref InstanceRolePermissionBoundary
 
   # This policy is attached to the role after the instance is created
   # so that the instance can be referenced in the resource section

docs/docs/deployment/post_deployment/import_service_catalog_products.md

@@ -58,7 +58,10 @@ _**Note**: If you run the machine images SDC multiple times, duplicated AMIs are
 
 These four products come from the AWS Service Catalog portfolio created by the system during deployment. And they'll be ready for use once imported and configured.
 
-If you wish to include other AWS computation resources in future, simply add new products to the existing Service Workbench portfolio in the AWS Service Catalog.
+If you wish to include other AWS computation resources in the future: 
+
+1. Add a new product to the existing Service Workbench portfolio in AWS Service Catalog
+2. Update the role `ServiceCatalogLaunchConstraintRole` in [cloudformation.yml](https://github.com/awslabs/service-workbench-on-aws/blob/mainline/main/solution/post-deployment/config/infra/cloudformation.yml#L204) to include permission needed to launch and terminate the product
 
 ### Import