-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Assign least-privilege IAM policies to pipeline
- Loading branch information
1 parent
45bf540
commit f19c9ab
Showing
19 changed files
with
1,102 additions
and
57 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,78 @@ | ||
# IAM Execution Policies | ||
|
||
It's a bad idea to give AdministratorAccess to the CDK execution role, even with a permissions boundary in place. | ||
Instead, we have custom policies authorizing all actions needed to deploy the stacks: | ||
|
||
- `execution_policy_basics.json` Basic permissions for CDK deployments, including Lambda creation and execution | ||
- `execution_policy_cloudfront.json` Permissions for creating a site Distribution with associated behaviors, cache | ||
policies and origin forwarding policies | ||
- `execution_policy_cognito.json` Permissions required for Cognito userpools, clients and domains | ||
- `execution_policy_edgelambda.json` Permissions to create a Cloudfront Lambda@Edge function (in us-east-1) | ||
- `execution_policy_route53.json` Permissions required for Route53 records and ACM certificates | ||
- `execution_policy_vpc.json` Permissions for deploying, updating and destroying a load-balanced, Fargate-managed | ||
container | ||
- `execution_policy_pipeline.json` Permissions for deploying the pipelines, which then orchestrate all other stacks | ||
|
||
## Commands: | ||
|
||
### Upload IAM policies to your AWS environment | ||
|
||
```shell | ||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-basics \ | ||
--policy-document file://permissions/execution_policy_basics.json | ||
--description "Baseline permissions for cloudformation deployments" | ||
|
||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-pipeline \ | ||
--policy-document file://permissions/execution_policy_pipeline.json | ||
--description "Permissions to deploy a codepipeline and codebuild projects" | ||
|
||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-cloudfront \ | ||
--policy-document file://permissions/execution_policy_cloudfront.json | ||
--description "Permissions to deploy cloudfront resources, except for lambda@edge functions" | ||
|
||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-cognito \ | ||
--policy-document file://permissions/execution_policy_cognito.json | ||
--description "Permissions to deploy cognito userpools and related resources" | ||
|
||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-edgelambda \ | ||
--policy-document file://permissions/execution_policy_edgelambda.json | ||
--description "Permissions to deploy lambda@edge functions for a cloudfront distribution" | ||
|
||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-route53 \ | ||
--policy-document file://permissions/execution_policy_route53.json | ||
--description "Permissions to deploy domain records and ACM certificates" | ||
|
||
aws iam create-policy \ | ||
--policy-name cdk-execution-policy-vpc \ | ||
--policy-document file://permissions/execution_policy_vpc.json | ||
--description "Permissions to deploy VPC, EC2 and ECS resources for a Fargate-managed container app" | ||
``` | ||
|
||
### Bootstrap CDK using the uploaded execution policies | ||
|
||
If your primary region is NOT `us-east-1`, then you need to bootstrap that region as well, because | ||
CloudFront mandates some resources are deployed to `us-east-1`. | ||
|
||
```shell | ||
# Bootstrap primary region | ||
npx cdk bootstrap aws://{account}/{region} \ | ||
--cloudformation-execution-policies "arn:aws:iam::{account}:policy/cdk-execution-policy-basics,arn:aws:iam::{account}:policy/cdk-execution-policy-cloudfront,arn:aws:iam::{account}:policy/cdk-execution-policy-cognito,arn:aws:iam::{account}:policy/cdk-execution-policy-pipeline,arn:aws:iam::{account}:policy/cdk-execution-policy-route53,arn:aws:iam::{account}:policy/cdk-execution-policy-vpc" | ||
|
||
# Bootstrap us-east-1 for cloudfront | ||
npx cdk bootstrap aws://{account}/us-east-1 \ | ||
--cloudformation-execution-policies "arn:aws:iam::{account}:policy/cdk-execution-policy-basics,arn:aws:iam::{account}:policy/cdk-execution-policy-edgelambda" | ||
``` | ||
|
||
If you ARE deploying your stage to us-east-1, then you only need one bootstrap command: | ||
|
||
```shell | ||
# Bootstrap us-east-1 | ||
npx cdk bootstrap aws://{account}/us-east-1 \ | ||
--cloudformation-execution-policies "arn:aws:iam::{account}:policy/cdk-execution-policy-basics,arn:aws:iam::{account}:policy/cdk-execution-policy-cloudfront,arn:aws:iam::{account}:policy/cdk-execution-policy-cognito,arn:aws:iam::{account}:policy/cdk-execution-policy-edgelambda,arn:aws:iam::{account}:policy/cdk-execution-policy-pipeline,arn:aws:iam::{account}:policy/cdk-execution-policy-route53,arn:aws:iam::{account}:policy/cdk-execution-policy-vpc" | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,69 @@ | ||
{ | ||
"Version": "2012-10-17", | ||
"Statement": [ | ||
{ | ||
"Sid": "IAMRole", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"iam:Get*", | ||
"iam:List*", | ||
"iam:CreateRole", | ||
"iam:DeleteRole", | ||
"iam:TagRole", | ||
"iam:AttachRolePolicy", | ||
"iam:DeleteRolePolicy", | ||
"iam:DetachRolePolicy", | ||
"iam:PutRolePolicy" | ||
], | ||
"Resource": "arn:aws:iam::*:role/*spylogic*" | ||
}, | ||
{ | ||
"Sid": "IAMPassRole", | ||
"Effect": "Allow", | ||
"Action": "iam:PassRole", | ||
"Resource": ["arn:aws:iam::*:role/*spylogic*"] | ||
}, | ||
{ | ||
"Sid": "S3Read", | ||
"Effect": "Allow", | ||
"Action": "s3:GetObject", | ||
"Resource": "*" | ||
}, | ||
{ | ||
"Sid": "S3Write", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"s3:CreateBucket", | ||
"s3:DeleteBucket", | ||
"s3:PutObject", | ||
"s3:DeleteObject", | ||
"s3:PutBucketPolicy", | ||
"s3:DeleteBucketPolicy", | ||
"s3:PutBucketTagging" | ||
], | ||
"Resource": "arn:aws:s3:::*spylogic*" | ||
}, | ||
{ | ||
"Sid": "SSMRead", | ||
"Effect": "Allow", | ||
"Action": "ssm:GetParameters", | ||
"Resource": "arn:aws:ssm:*:*:parameter/cdk-bootstrap/*/version" | ||
}, | ||
{ | ||
"Sid": "Lambdas", | ||
"Effect": "Allow", | ||
"Action": [ | ||
"lambda:Get*", | ||
"lambda:List*", | ||
"lambda:CreateFunction", | ||
"lambda:UpdateFunctionCode", | ||
"lambda:UpdateFunctionConfiguration", | ||
"lambda:DeleteFunction", | ||
"lambda:InvokeFunction", | ||
"lambda:TagResource", | ||
"lambda:UntagResource" | ||
], | ||
"Resource": "arn:aws:lambda:*:*:function:*spylogic*" | ||
} | ||
] | ||
} |
Oops, something went wrong.