From 27e362707f298d0ec8e728643926b2c46694886b Mon Sep 17 00:00:00 2001 From: Tim Nguyen Date: Mon, 19 Apr 2021 15:28:56 -0400 Subject: [PATCH] feat: permission restriction release (#449) * refactor: restrict sc roles (#412) * Restrict iam permission to SWB resources * Restrict Launch constraint role * Update envmgmt, cross account envmgmt, add permissions boundary Co-authored-by: zheyanyu * feat: branch develop sync (#430) * chore: sync with mainline * refactor: Remove permission boundary condition on launch constraint role (#433) * docs: add instructions for updating launch constraint role * refactor: remove condition in launch constraint role for backward compatibility * By removing permission boundary condition, the changes on launch constraint role will be backward compatible to existing default SC products Co-authored-by: zheyanyu * refactor: restricting AppDeployer permissions (#431) Co-authored-by: Jeet <68876606+jn1119@users.noreply.github.com> * fix: adding deny for appDeployer perm restrict (#437) * fix: adding deny for appDeployer perm restrict * fix: adding KMS perms for AppDeployer * fix: allow workflow runner access to master role (#444) * fix: adding s3 resources for appdeployer (#445) * chore: Update PolicyAppDeployer IAM permission (#446) Co-authored-by: Tim Nguyen * Update changelog for version 3.0.0 Co-authored-by: Yanyu Zheng Co-authored-by: zheyanyu Co-authored-by: Sanket Dharwadkar Co-authored-by: Jeet <68876606+jn1119@users.noreply.github.com> Co-authored-by: Tim Nguyen --- CHANGELOG.md | 18 ++ .../src/templates/onboard-account.cfn.yml | 95 ++++++--- .../ec2-linux-instance.cfn.yml | 21 ++ .../ec2-rstudio-instance.cfn.yml | 22 +++ .../ec2-windows-instance.cfn.yml | 21 ++ .../service-catalog/emr-cluster.cfn.yml | 23 +++ .../sagemaker-notebook-instance.cfn.yml | 24 ++- .../import_service_catalog_products.md | 5 +- .../config/infra/cloudformation.yml | 183 +++++++++++++++--- main/config/settings/.defaults.yml | 4 +- .../backend/config/infra/cloudformation.yml | 121 ++++-------- .../config/infra/cloudformation.yml | 172 +++++++++++++--- 12 files changed, 544 insertions(+), 165 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d4e9801518..d390797947 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,24 @@ # Changelog All notable changes to this project will be documented in this file. +## [3.0.0] - 2021-04-19 + +### Added +- refactor: restricting AppDeployer permissions +- refactor: Remove permission boundary condition on launch constraint role +- refactor: restrict sc roles + +**Permissions boundaries are being added to the several important IAM roles used by Service Workbench as a security best practice.** + +**Customer Impact:** Below outlines the actions required for you to successfully adopt this security enhancement. The first two items are applicable to all customers. If you have created custom workspace types, then all three items below are applicable. + +1. After running the update, onboard all hosting accounts once again to benefit from the enhanced security, and test the application. +**Note:** The attached pdf contains steps for onboarding hosting accounts, contact your Service Workbench Administrator if you have not performed these steps before. + +2. After running the update, import and use the newly available Service Catalog product versions for workspace types (latest version numbers) to benefit from the enhanced security. + +3. **ONLY Customers that have created custom workspace types:** It is possible that the permissions boundaries would prevent actions that were formerly allowed. You should plan to validate your custom workspace types after the update. Issues should be addressed by modifying the custom workspaces to work within the permissions granted, or modify the permissions boundary for your installation (this would require a change to Service Workbench code (specifically the IAM policies that are attached as the permissions boundary) for your install). +Note: Any existing custom or non-custom workspaces types (for example, EC2 Linux/Windows, EMR, SageMaker, R Studio) are not impacted by this upgrade. ## [2.2.0] - 2021-04-12 diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml index 5d6386b8a4..a1ed53a4da 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/onboard-account.cfn.yml @@ -113,9 +113,8 @@ Resources: Statement: - Effect: Allow Action: - - cloudformation:ListStackResources - cloudformation:GetTemplate - Resource: '*' + Resource: 'arn:aws:cloudformation:*:*:stack/SC-*/*' - PolicyName: ssm-access PolicyDocument: Statement: @@ -125,34 +124,29 @@ Resources: - ssm:GetParameter - ssm:GetParameters - ssm:DeleteParameter - Resource: '*' - - PolicyName: cost-explorer-access - PolicyDocument: - Statement: - Effect: Allow - Action: - - ce:* - Resource: '*' + Resource: + - !Sub 'arn:aws:ssm:*:${AWS::AccountId}:parameter/*/sc-environments/*' - PolicyName: s3-access PolicyDocument: Statement: Effect: Allow Action: - - s3:* - Resource: '*' + - s3:GetObject + Resource: + - 'arn:aws:s3:::cf-templates-*/*' - PolicyName: sagemaker-access PolicyDocument: Statement: Effect: Allow Action: - - sagemaker:* + - sagemaker:CreatePresignedNotebookInstanceUrl + - sagemaker:ListNotebookInstances Resource: '*' - PolicyName: iam-role-access PolicyDocument: Statement: - Effect: Allow Action: - - iam:GetRole - iam:CreateRole - iam:TagRole - iam:GetRolePolicy @@ -165,17 +159,68 @@ Resources: - iam:AttachRolePolicy - iam:DetachRolePolicy Resource: - - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}' - - Effect: Allow - Action: - - iam:CreatePolicy - - iam:GetPolicy - - iam:GetPolicyVersion - - iam:ListPolicyVersions - - iam:DeletePolicy - - iam:DeletePolicyVersion - Resource: - - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${LaunchConstraintPolicyPrefix}' + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}LaunchConstraint' + PermissionsBoundary: !Ref CrossAccountEnvMgmtPermissionsBoundary + + CrossAccountEnvMgmtPermissionsBoundary: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for cross account EnvMgmt role + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - s3:* + - cloudformation:* + - sagemaker:* + - ec2:* + - ssm:* + - config:* + - servicecatalog:* + - ec2-instance-connect:* + Resource: '*' + - Effect: Allow + Action: + - iam:PassRole + Resource: '*' + Condition: + StringEquals: + iam:PassedToService: 'servicecatalog.amazonaws.com' + - Effect: Allow + Action: + - iam:CreateRole + - iam:TagRole + - iam:GetRolePolicy + - iam:PutRolePolicy + - iam:DeleteRolePolicy + - iam:ListRolePolicies + - iam:ListAttachedRolePolicies + - iam:UpdateAssumeRolePolicy + - iam:UpdateRoleDescription + - iam:AttachRolePolicy + - iam:DetachRolePolicy + Resource: + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${LaunchConstraintRolePrefix}' + - Effect: Allow + Action: + - iam:CreatePolicy + - iam:GetPolicy + - iam:GetPolicyVersion + - iam:ListPolicyVersions + - iam:DeletePolicy + - iam:DeletePolicyVersion + Resource: + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${LaunchConstraintPolicyPrefix}' + - Effect: Allow + Action: + - iam:GetGroup + - iam:GetRole + - iam:GetUser + - iam:ListGroups + - iam:ListRoles + - iam:ListUsers + Resource: '*' # These non-mutating IAM actions cover the permissions in managed policy AWSServiceCatalogAdminFullAccess PolicyCrossAccountExecution: Type: AWS::IAM::ManagedPolicy diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml index 2cbd7055ee..caafe7a57d 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-linux-instance.cfn.yml @@ -41,6 +41,26 @@ Conditions: IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}'] Resources: + InstanceRolePermissionBoundary: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for EC2 instance role + ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-linux-permission-boundary']] + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:*' + Resource: '*' + - Effect: Allow + Action: + - 'kms:*' + Resource: '*' + - Effect: Allow + Action: + - 'sts:AssumeRole' + Resource: 'arn:aws:iam::*:role/swb-*' IAMRole: Type: 'AWS::IAM::Role' Properties: @@ -81,6 +101,7 @@ Resources: s3:prefix: !Sub - '${S3Prefix}/*' - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]] + PermissionsBoundary: !Ref InstanceRolePermissionBoundary InstanceProfile: Type: 'AWS::IAM::InstanceProfile' diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml index bec21b232d..3cd3786d4a 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-rstudio-instance.cfn.yml @@ -44,6 +44,27 @@ Conditions: IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}'] Resources: + InstanceRolePermissionBoundary: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for EC2 instance role + ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-rstudio-permission-boundary']] + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:*' + - 'ssm:*' + Resource: '*' + - Effect: Allow + Action: + - 'kms:*' + Resource: '*' + - Effect: Allow + Action: + - 'sts:AssumeRole' + Resource: 'arn:aws:iam::*:role/swb-*' IAMRole: Type: 'AWS::IAM::Role' Properties: @@ -93,6 +114,7 @@ Resources: - 'ssm:GetParameter' - 'ssm:PutParameter' Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*' + PermissionsBoundary: !Ref InstanceRolePermissionBoundary InstanceProfile: Type: 'AWS::IAM::InstanceProfile' diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml index ee7279967f..49b03b2589 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/ec2-windows-instance.cfn.yml @@ -63,6 +63,26 @@ Conditions: IamPolicyEmpty: !Equals [!Ref IamPolicyDocument, '{}'] Resources: + InstanceRolePermissionBoundary: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for EC2 instance role + ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-windows-permission-boundary']] + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:*' + Resource: '*' + - Effect: Allow + Action: + - 'kms:*' + Resource: '*' + - Effect: Allow + Action: + - 'sts:AssumeRole' + Resource: 'arn:aws:iam::*:role/swb-*' IAMRole: Type: 'AWS::IAM::Role' Properties: @@ -103,6 +123,7 @@ Resources: s3:prefix: !Sub - '${S3Prefix}/*' - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]] + PermissionsBoundary: !Ref InstanceRolePermissionBoundary InstanceProfile: Type: 'AWS::IAM::InstanceProfile' diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml index 78eaffa13f..9722b18d93 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/emr-cluster.cfn.yml @@ -124,6 +124,27 @@ Resources: - Ref: Ec2Role Type: AWS::IAM::InstanceProfile + InstanceRolePermissionBoundary: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for EC2 instance role + ManagedPolicyName: !Join ['-', [Ref: Namespace, 'emr-permission-boundary']] + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:*' + Resource: '*' + - Effect: Allow + Action: + - 'kms:*' + Resource: '*' + - Effect: Allow + Action: + - 'sts:AssumeRole' + Resource: 'arn:aws:iam::*:role/swb-*' + Ec2Role: Type: 'AWS::IAM::Role' Properties: @@ -166,6 +187,7 @@ Resources: s3:prefix: !Sub - '${S3Prefix}/*' - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]] + PermissionsBoundary: !Ref InstanceRolePermissionBoundary ServiceRole: Type: AWS::IAM::Role @@ -182,6 +204,7 @@ Resources: Version: '2012-10-17' ManagedPolicyArns: - arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole + PermissionsBoundary: arn:aws:iam::aws:policy/service-role/AmazonElasticMapReduceRole EmrSecurityConfiguration: Type: AWS::EMR::SecurityConfiguration diff --git a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml index fdb069ddfe..1ad5d7d950 100644 --- a/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml +++ b/addons/addon-base-raas/packages/base-raas-cfn-templates/src/templates/service-catalog/sagemaker-notebook-instance.cfn.yml @@ -52,7 +52,27 @@ Resources: FromPort: 443 ToPort: 443 CidrIp: !Ref AccessFromCIDRBlock - + InstanceRolePermissionBoundary: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for EC2 instance role + ManagedPolicyName: !Join ['-', [Ref: Namespace, 'ec2-sagemaker-permission-boundary']] + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: + - 's3:*' + - 'logs:*' + Resource: '*' + - Effect: Allow + Action: + - 'kms:*' + Resource: '*' + - Effect: Allow + Action: + - 'sts:AssumeRole' + Resource: 'arn:aws:iam::*:role/swb-*' IAMRole: Type: 'AWS::IAM::Role' Properties: @@ -93,7 +113,6 @@ Resources: s3:prefix: !Sub - '${S3Prefix}/*' - S3Prefix: !Select [3, !Split ['/', !Ref EnvironmentInstanceFiles]] - - PolicyName: cw-logs PolicyDocument: Statement: @@ -105,6 +124,7 @@ Resources: - logs:CreateLogGroup Resource: - !Sub arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/sagemaker/* + PermissionsBoundary: !Ref InstanceRolePermissionBoundary # This policy is attached to the role after the instance is created # so that the instance can be referenced in the resource section diff --git a/docs/docs/deployment/post_deployment/import_service_catalog_products.md b/docs/docs/deployment/post_deployment/import_service_catalog_products.md index ca838c2e4f..7fc55aed95 100644 --- a/docs/docs/deployment/post_deployment/import_service_catalog_products.md +++ b/docs/docs/deployment/post_deployment/import_service_catalog_products.md @@ -58,7 +58,10 @@ _**Note**: If you run the machine images SDC multiple times, duplicated AMIs are These four products come from the AWS Service Catalog portfolio created by the system during deployment. And they'll be ready for use once imported and configured. -If you wish to include other AWS computation resources in future, simply add new products to the existing Service Workbench portfolio in the AWS Service Catalog. +If you wish to include other AWS computation resources in the future: + +1. Add a new product to the existing Service Workbench portfolio in AWS Service Catalog +2. Update the role `ServiceCatalogLaunchConstraintRole` in [cloudformation.yml](https://github.com/awslabs/service-workbench-on-aws/blob/mainline/main/solution/post-deployment/config/infra/cloudformation.yml#L204) to include permission needed to launch and terminate the product ### Import diff --git a/main/cicd/cicd-pipeline/config/infra/cloudformation.yml b/main/cicd/cicd-pipeline/config/infra/cloudformation.yml index ab8c9a2c85..b9964b8b93 100644 --- a/main/cicd/cicd-pipeline/config/infra/cloudformation.yml +++ b/main/cicd/cicd-pipeline/config/infra/cloudformation.yml @@ -199,6 +199,156 @@ Resources: Effect: Allow Resource: !Ref PipelineNotificationsTopic + PolicyAppDeployer: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Allows CodePipeline to create resources required for deploying SWB + PolicyDocument: + Version: '2012-10-17' + Statement: + - Action: + - iam:GetRole + - iam:GetRolePolicy + - iam:PassRole + - iam:CreateRole + - iam:PutRolePolicy + - iam:AttachRolePolicy + - iam:DeleteRole + - iam:DeleteRolePolicy + - iam:DetachRolePolicy + - iam:UpdateRoleDescription + - iam:*TagRole* + Effect: Allow + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*' + - Action: + - iam:CreateRole + - iam:PutRolePolicy + - iam:AttachRolePolicy + Effect: Deny + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-cicd-pipeline-AppDeployerRole-*' + - Action: + - iam:CreatePolicy + - iam:GetPolicy + - iam:DeletePolicy + - iam:*PolicyVersion* + Effect: Allow + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.namespace}-*' + - Action: + - events:* + - states:* + - cloudfront:* + - apigateway:* + Effect: Allow + Resource: '*' + - Action: + - dynamodb:* + Effect: Allow + Resource: !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/${self:custom.settings.namespace}-*' + - Effect: Allow + Action: + - logs:CreateLogStream + - logs:DescribeLogStreams + - logs:PutLogEvents + - logs:CreateLogGroup + - logs:DeleteLogGroup + - logs:DeleteLogStream + Resource: + - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/*' + - !Sub 'arn:aws:logs:*:${AWS::AccountId}:log-group:/aws/*:log-stream:*' + - Effect: Allow + Action: + - lambda:* + Resource: + - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.namespace}*:*' + - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.namespace}*' + - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.envName}-*:*' + - !Sub 'arn:aws:lambda:*:${AWS::AccountId}:function:${self:custom.settings.awsRegionShortName}-${self:custom.settings.solutionName}-*-${self:custom.settings.envName}-*' + - Action: + - 's3:*' + Effect: Allow + Resource: + - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.namespace}* + - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.namespace}*/* + - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.envName}-va-${self:custom.settings.solutionName}* + - !Sub arn:aws:s3:::${AWS::AccountId}-${self:custom.settings.envName}-va-${self:custom.settings.solutionName}*/* + - Effect: Allow + Action: + - ssm:GetParameter + Resource: + - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${self:custom.settings.envName}/*' + - Effect: Allow + Action: + - iam:ListRoles + - organizations:DescribeOrganization + - account:ListRegions + - cloudformation:ValidateTemplate + - kms:CreateKey + - kms:ListKeys + - kms:ListAliases + - kms:PutKeyPolicy + - kms:GenerateRandom + - s3:ListBuckets + Resource: + - '*' # For the actions listed above IAM does not support resource-level permissions and requires all resources to be chosen + - Effect: Allow + Action: + - iam:CreateServiceLinkedRole + - iam:DeleteServiceLinkedRole + - iam:GetServiceLinkedRoleDeletionStatus + - iam:UpdateRoleDescription + Resource: + - !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/*' + - Effect: Allow + Action: + - codebuild:CreateReportGroup + - codebuild:CreateReport + - codebuild:BatchPutTestCases + - codebuild:UpdateReport + Resource: + - !Sub 'arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*' + - Effect: Allow + Action: + - cloudformation:CreateStack + - cloudformation:DeleteStack + - cloudformation:DescribeStacks + - cloudformation:UpdateStack + - cloudformation:GetTemplate + - cloudformation:ListStackResources + - cloudformation:DescribeStackEvents + Resource: + - !Sub 'arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${self:custom.settings.namespace}-*' + - !Sub 'arn:aws:cloudformation:us-east-1:${AWS::AccountId}:stack/${self:custom.settings.envName}-va-${self:custom.settings.solutionName}-*' + - Effect: 'Allow' + Action: + - kms:DescribeKey + - kms:EnableKey + - kms:Encrypt + - kms:Decrypt + - kms:CreateAlias + - kms:ListKeyPolicies + - kms:ReEncrypt* + - kms:GenerateDataKey + - kms:ListGrants + - kms:GenerateDataKeyWithoutPlaintext + - kms:CreateGrant + - kms:RevokeGrant + - kms:TagResource + - kms:UntagResource + - kms:GetKeyPolicy + Resource: + - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/*${self:custom.settings.namespace}*' + - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*' + - Action: + - iam:PutRolePermissionsBoundary + - iam:DeleteRolePermissionsBoundary + Effect: Allow + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*' + - Action: + - iam:PutRolePermissionsBoundary + - iam:DeleteRolePermissionsBoundary + Effect: Deny + Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-cicd-pipeline-AppDeployerRole-*' + AppDeployerRole: Type: AWS::IAM::Role Properties: @@ -214,37 +364,8 @@ Resources: # The deployer role needs permissions to deploy CFN stacks and all actions those stacks are performing # The permissions required by stacks are very fluid and dependent on which resources are declared in those # stacks - - arn:aws:iam::aws:policy/PowerUserAccess - Policies: - - PolicyName: CodeBuildDeployerPermissions - PolicyDocument: - Version: '2012-10-17' - Statement: - - Action: - - iam:AttachRolePolicy - - iam:CreateRole - - iam:DeleteRole - - iam:DeleteRolePolicy - - iam:DetachRolePolicy - - iam:GetRole - - iam:GetRolePolicy - - iam:PassRole - - iam:PutRolePolicy - - iam:UpdateAssumeRolePolicy - - iam:*TagRole* - Resource: '*' - Effect: Allow - - Action: - - iam:CreatePolicy - - iam:GetPolicy - - iam:*PolicyVersion* - Effect: Allow - Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${self:custom.settings.namespace}-*' - - Action: - - iam:PutRolePermissionsBoundary - - iam:DeleteRolePermissionsBoundary - Effect: Allow - Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-*' + - !Ref PolicyAppDeployer + PermissionsBoundary: !Ref PolicyAppDeployer # Role that allows triggering the CodePipeline. This role is assumed by CloudWatch Events from the Source AWS Account # where the source code is located (i.e., the account containing the AWS CodeCommit repo with the source code) diff --git a/main/config/settings/.defaults.yml b/main/config/settings/.defaults.yml index 142b86a202..d33dc5da3c 100644 --- a/main/config/settings/.defaults.yml +++ b/main/config/settings/.defaults.yml @@ -172,10 +172,10 @@ auditQldbName: ${self:custom.settings.namespace}-audit createServiceCatalogPortfolio: true # Version number of current release -versionNumber: '2.2.0' +versionNumber: '3.0.0' # Release date of current release -versionDate: '2021-04-12' +versionDate: '2021-04-19' # Metadata provided with AWS SDK calls customUserAgent: 'AwsLabs/SO0144/${self:custom.settings.versionNumber}' diff --git a/main/solution/backend/config/infra/cloudformation.yml b/main/solution/backend/config/infra/cloudformation.yml index 2fe5998e14..395c34047f 100644 --- a/main/solution/backend/config/infra/cloudformation.yml +++ b/main/solution/backend/config/infra/cloudformation.yml @@ -422,7 +422,6 @@ Resources: Action: 'sts:AssumeRole' Resource: - !GetAtt [RoleEnvMgmt, Arn] - - 'arn:aws:iam::*:role/initial-stack-*' - 'arn:aws:iam::*:role/SC-*' - 'arn:aws:iam::*:role/swb-*' - 'arn:aws:iam::*:role/analysis-*' @@ -578,7 +577,6 @@ Resources: Action: 'sts:AssumeRole' Resource: - !GetAtt [RoleEnvMgmt, Arn] - - 'arn:aws:iam::*:role/initial-stack-*' - 'arn:aws:iam::*:role/SC-*' - 'arn:aws:iam::*:role/analysis-*' - 'arn:aws:iam::*:role/swb-*' @@ -598,6 +596,11 @@ Resources: - xray:PutTelemetryRecords Resource: - '*' + - Effect: Allow + Action: + - sts:AssumeRole + Resource: + - !Sub 'arn:aws:iam::${AWS::AccountId}:role/${self:custom.settings.namespace}-prep-raas-master-MasterRole-*' # IAM Role for the workflowLoopRunner Function RoleWorkflowLoopRunner: @@ -758,86 +761,42 @@ Resources: AWS: !Sub ${AWS::AccountId} Action: 'sts:AssumeRole' ManagedPolicyArns: - - arn:aws:iam::aws:policy/AWSServiceCatalogAdminFullAccess - Policies: - - PolicyName: ec2-access - PolicyDocument: - Statement: - Action: - - ec2:CreateKeyPair - - ec2:DeleteKeyPair - - ec2:GetPasswordData - - ec2:ModifyImageAttribute - - ec2:DescribeImages - - ec2:DescribeInstances - - ec2:DescribeSecurityGroups - - ec2:RevokeSecurityGroupIngress - - ec2:AuthorizeSecurityGroupIngress - - ec2-instance-connect:SendSSHPublicKey - Effect: Allow - Resource: '*' - - PolicyName: cfn-access - PolicyDocument: - Statement: - Effect: Allow - Action: - - cloudformation:ListStackResources - - cloudformation:GetTemplate - Resource: '*' - - PolicyName: param-store-access - PolicyDocument: - Statement: - Effect: Allow - Action: - - ssm:PutParameter - - ssm:GetParameter - - ssm:GetParameters - - ssm:DeleteParameter - Resource: !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/${self:custom.settings.paramStoreRoot}/*' - - PolicyName: cfn-read-access - PolicyDocument: - Statement: - Effect: Allow - Action: - - s3:GetObject - Resource: - # S3 GetObject required to be able to read CFN templates for service catalog products - # Various AWS Service Catalog APIs will fail without this (such as describeProvisioningParameters) - # AWS Service Catalog uploads the CFN templates to S3 bucket starting with "cf-templates-" - # See https://docs.aws.amazon.com/servicecatalog/latest/adminguide/portfoliomgmt-products.html for more details - # - !Sub arn:${AWS::Partition}:s3:::cf-templates-*/* (Somehow this pattern is not working.) - # TODO: Lock down S3 pattern instead of wildcard) - - '*' - - PolicyName: iam-role-access - PolicyDocument: - Statement: - - Effect: Allow - Action: - - iam:GetRole - - iam:CreateRole - - iam:TagRole - - iam:GetRolePolicy - - iam:PutRolePolicy - - iam:DeleteRolePolicy - - iam:ListRolePolicies - - iam:ListAttachedRolePolicies - - iam:UpdateAssumeRolePolicy - - iam:UpdateRoleDescription - - iam:AttachRolePolicy - - iam:DetachRolePolicy - Resource: - - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${self:custom.settings.launchConstraintRolePrefix}' - - Effect: Allow - Action: - - iam:CreatePolicy - - iam:GetPolicy - - iam:GetPolicyVersion - - iam:ListPolicyVersions - - iam:DeletePolicy - - iam:DeletePolicyVersion - Resource: - - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${self:custom.settings.launchConstraintPolicyPrefix}' + - !Ref PolicyEnvMgmt + PermissionsBoundary: !Ref PolicyEnvMgmt + PolicyEnvMgmt: + Type: AWS::IAM::ManagedPolicy + Properties: + Description: Permission boundary for EnvMgmt role + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - iam:GetRole + - iam:TagRole + - iam:GetRolePolicy + - iam:ListRolePolicies + - iam:ListAttachedRolePolicies + - iam:UpdateRoleDescription + Resource: + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:role/${self:custom.settings.launchConstraintRolePrefix}LaunchConstraint' + - Effect: Allow + Action: + - iam:GetPolicy + - iam:GetPolicyVersion + - iam:ListPolicyVersions + Resource: + - !Sub 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${self:custom.settings.launchConstraintPolicyPrefix}' + - Effect: Allow + Action: + - servicecatalog:* + Resource: '*' + - Effect: Allow + Action: + - s3:GetObject + Resource: + - 'arn:aws:s3:::cf-templates-*/*' # ============================================================================================= # Step Functions # ============================================================================================= diff --git a/main/solution/post-deployment/config/infra/cloudformation.yml b/main/solution/post-deployment/config/infra/cloudformation.yml index 3c44f52e01..1c4e1b1d24 100644 --- a/main/solution/post-deployment/config/infra/cloudformation.yml +++ b/main/solution/post-deployment/config/infra/cloudformation.yml @@ -213,40 +213,166 @@ Resources: Service: - servicecatalog.amazonaws.com Action: sts:AssumeRole - ManagedPolicyArns: - # The deployer role needs permissions to deploy CFN stacks and all actions those stacks are performing - # The permissions required by stacks are very fluid and dependent on which resources are declared in those - # stacks - - arn:aws:iam::aws:policy/PowerUserAccess Policies: - - PolicyName: ServiceCatalogProductLaunchPermissions + - PolicyName: CommonSCProductLaunchPermissions PolicyDocument: Version: '2012-10-17' Statement: - - Action: - - iam:AttachRolePolicy - - iam:CreateRole - - iam:DeleteRole - - iam:DeleteRolePolicy - - iam:DetachRolePolicy + - Effect: Allow + Action: - iam:GetRole - iam:GetRolePolicy + - iam:*TagRole* - iam:PassRole + - iam:DeleteRole + Resource: + - 'arn:aws:iam::*:role/analysis-*' + - 'arn:aws:iam::*:role/SC-*-ServiceRole-*' + - 'arn:aws:iam::*:role/*-sagemaker-notebook-role' + - Effect: Allow + Action: - iam:PutRolePolicy - - iam:*TagRole* + - iam:DeleteRolePolicy + - iam:DetachRolePolicy + - iam:AttachRolePolicy + - iam:CreateRole + Resource: + - 'arn:aws:iam::*:role/analysis-*' + - 'arn:aws:iam::*:role/SC-*-ServiceRole-*' + - 'arn:aws:iam::*:role/*-sagemaker-notebook-role' + - Effect: Allow + Action: + - iam:AddRoleToInstanceProfile + - iam:CreateInstanceProfile + - iam:GetInstanceProfile + - iam:DeleteInstanceProfile + - iam:RemoveRoleFromInstanceProfile + Resource: + - 'arn:aws:iam::*:instance-profile/analysis-*' + - 'arn:aws:iam::*:instance-profile/SC-*-InstanceProfile-*' + - Effect: Allow + Action: + - iam:GetPolicy + - iam:CreatePolicy + - iam:ListPolicyVersions + - iam:DeletePolicy + Resource: 'arn:aws:iam::*:policy/*-permission-boundary' + - Effect: Allow + Action: + - cloudformation:CreateStack + - cloudformation:DescribeStacks + - cloudformation:DescribeStackEvents + - cloudformation:DeleteStack + Resource: 'arn:aws:cloudformation:*:*:stack/SC-*/*' + - Effect: Allow # Used for SC update product + Action: + - cloudformation:GetTemplateSummary Resource: '*' - Effect: Allow - - PolicyName: iam-instance-profile-access + - Effect: Allow # Used for SC update product + Action: + - s3:GetObject + Resource: 'arn:aws:s3:::sc-*' + - Effect: Allow + Action: + - ec2:AuthorizeSecurityGroupIngress + - ec2:RevokeSecurityGroupEgress + - ec2:CreateSecurityGroup + - ec2:DeleteSecurityGroup + - ec2:CreateTags + - ec2:DescribeTags + - ec2:DescribeKeyPairs + - ec2:DescribeSecurityGroups + - ec2:DescribeSubnets + - ec2:DescribeVpcs + Resource: '*' # EMR slave node security group has a machine generated ID and no tags, can not specify resource or add condition here + - Effect: Allow + Action: + - kms:CreateGrant + Resource: '*' # Customer can choose to manually create the KMS key used here, can not specify resource + - PolicyName: EMRLaunchPermissions PolicyDocument: Statement: - Effect: Allow - Action: - - iam:AddRoleToInstanceProfile - - iam:CreateInstanceProfile - - iam:GetInstanceProfile - - iam:DeleteInstanceProfile - - iam:RemoveRoleFromInstanceProfile - Resource: '*' + - Effect: Allow + Action: + - s3:CreateBucket + - s3:PutBucketPublicAccessBlock + - s3:PutBucketTagging + Resource: 'arn:aws:s3:::sc-*-logbucket-*' + - Effect: Allow + Action: + - elasticmapreduce:CreateSecurityConfiguration + - elasticmapreduce:RunJobFlow + - elasticmapreduce:TerminateJobFlows + - elasticmapreduce:DeleteSecurityConfiguration + Resource: '*' # The above actions do not support specifying resources or resource tag + - Effect: Allow + Action: + - elasticmapreduce:DescribeCluster + Resource: '*' + Condition: + StringLike: + aws:ResourceTag/name: 'analysis-*-emr' + - Effect: Allow + Action: + - iam:CreateServiceLinkedRole + - iam:PutRolePolicy + - iam:UpdateRoleDescription + - iam:DeleteServiceLinkedRole + - iam:GetServiceLinkedRoleDeletionStatus + Resource: arn:aws:iam::*:role/aws-service-role/elasticmapreduce.amazonaws.com*/AWSServiceRoleForEMRCleanup* + Condition: + StringLike: + iam:AWSServiceName: + - elasticmapreduce.amazonaws.com + - elasticmapreduce.amazonaws.com.cn + - PolicyName: SageMakerLaunchPermissions + PolicyDocument: + Statement: + - Effect: Allow + Action: + - sagemaker:DescribeNotebookInstanceLifecycleConfig + - sagemaker:CreateNotebookInstanceLifecycleConfig + - sagemaker:DeleteNotebookInstanceLifecycleConfig + Resource: 'arn:aws:sagemaker:*:*:notebook-instance-lifecycle-config/basicnotebookinstancelifecycleconfig-*' + - Effect: Allow + Action: + - sagemaker:DescribeNotebookInstance + - sagemaker:CreateNotebookInstance + - sagemaker:StopNotebookInstance + - sagemaker:StopNotebookInstance + - sagemaker:DeleteNotebookInstance + Resource: 'arn:aws:sagemaker:*:*:notebook-instance/basicnotebookinstance-*' + - Effect: Allow + Action: + - ec2:DescribeNetworkInterfaces + - ec2:CreateNetworkInterface + - ec2:DeleteNetworkInterface + Resource: '*' # Network interfaces created here have a machine generated name and do not have any tags + - PolicyName: EC2LaunchPermissions + PolicyDocument: + Statement: + - Effect: Allow + Action: + - kms:GenerateDataKeyWithoutPlaintext + Resource: '*' + - Effect: Allow + Action: + - ec2:TerminateInstances + Resource: 'arn:aws:ec2:*:*:instance/*' + - Effect: Allow + Action: + - ec2:RunInstances # RunInstances involves 6 different resource types, it's hard to narrow it down + - ec2:DescribeInstances # DescribeInstances does not support specifying resources + Resource: '*' + - Effect: Allow + Action: + - ec2:AuthorizeSecurityGroupEgress + - ec2:RevokeSecurityGroupEgress + Resource: '*' + Condition: + StringLike: + ec2:ResourceTag/name: 'analysis-*-sg' + # ============================================================================================= # Dynamo db # =============================================================================================