[Security] * -Get rid of managed policies (breaking change)

jalawala · Jun 3, 2019 · 71c6d45 · 71c6d45
1 parent 310d01c
commit 71c6d45
Show file tree

Hide file tree

Showing 23 changed files with 377 additions and 152 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -9,10 +9,10 @@ python:
 - '2.7'
 install:
 - 'pip install yamllint==1.15.0'
-- 'pip install awscli==1.16.104'
-- 'pip install cfn-lint==0.14.0'
+- 'pip install awscli==1.16.167'
+- 'pip install cfn-lint==0.21.3'
 script:
 - 'yamllint .'
-- 'cfn-lint -i E2520 E3002 W2001 W6001 -t ''**/*.yaml''' # TODO get rid of check ignores
+- 'cfn-lint -i E3002 W2001 W6001 -t ''**/*.yaml''' # TODO get rid of check ignores
 - 'find . -type f -name ''*.yaml'' | while read file; do set -ex && grep -q "LICENSE-2.0" "$file"; done;'
 - 'if [ "$TRAVIS_PULL_REQUEST" = "false" ]; then find . -type f -name ''*.yaml'' | while read file; do set -ex && aws s3 cp "$file" "s3://travis-aws-cf-templates/$TRAVIS_COMMIT/$file" && aws cloudformation validate-template --template-url "https://s3.amazonaws.com/travis-aws-cf-templates/$TRAVIS_COMMIT/$file" > /dev/null; done; fi'
diff --git a/docs/migrate-v10.md b/docs/migrate-v10.md
@@ -4,33 +4,19 @@
 
 # Migrate from v9 to v10
 
-> WARNING: Follow this guideline to avoid data loss!
+## *
 
-## fargate/service-cloudmap
+If you have `SystemsManagerAccess` set to `true`, we previously attached the managed policy `AmazonEC2RoleforSSM` but now only attach the following IAM permissions:
 
-* Rename parameter from `AmbassadorImage` to `ProxyImage`.
-* Rename parameter from `AmbassadorCommand` to `ProxyCommand`.
-* Rename parameter from `AmbassadorPort` to `ProxyPort`.
-* Rename parameter from `AmbassadorEnvironment1Key` to `ProxyEnvironment1Key`.
-* Rename parameter from `AmbassadorEnvironment1Value` to `ProxyEnvironment1Value`.
-* Rename parameter from `AmbassadorEnvironment2Key` to `ProxyEnvironment2Key`.
-* Rename parameter from `AmbassadorEnvironment2Value` to `ProxyEnvironment2Value`.
-* Rename parameter from `AmbassadorEnvironment3Key` to `ProxyEnvironment3Key`.
-* Rename parameter from `AmbassadorEnvironment3Value` to `ProxyEnvironment3Value`.
+* `ssmmessages:*`
+* `ssm:UpdateInstanceInformation`
+* `ec2messages:*`
 
-## fargate/service-cluster-alb
+This reducdes the permissions but is sufficient to make SSM Session Manager and Run Commands work.
 
-* Rename parameter from `AmbassadorImage` to `ProxyImage`.
-* Rename parameter from `AmbassadorCommand` to `ProxyCommand`.
-* Rename parameter from `AmbassadorPort` to `ProxyPort`.
-* Rename parameter from `AmbassadorEnvironment1Key` to `ProxyEnvironment1Key`.
-* Rename parameter from `AmbassadorEnvironment1Value` to `ProxyEnvironment1Value`.
-* Rename parameter from `AmbassadorEnvironment2Key` to `ProxyEnvironment2Key`.
-* Rename parameter from `AmbassadorEnvironment2Value` to `ProxyEnvironment2Value`.
-* Rename parameter from `AmbassadorEnvironment3Key` to `ProxyEnvironment3Key`.
-* Rename parameter from `AmbassadorEnvironment3Value` to `ProxyEnvironment3Value`.
+To restore the previous permissions (which are not following the least privilege principle), set the new parameter `ManagedPolicyArns` to `arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM`.
 
-## fargate/service-dedicated-alb
+## fargate/service-*
 
 * Rename parameter from `AmbassadorImage` to `ProxyImage`.
 * Rename parameter from `AmbassadorCommand` to `ProxyCommand`.
@@ -41,3 +27,9 @@
 * Rename parameter from `AmbassadorEnvironment2Value` to `ProxyEnvironment2Value`.
 * Rename parameter from `AmbassadorEnvironment3Key` to `ProxyEnvironment3Key`.
 * Rename parameter from `AmbassadorEnvironment3Value` to `ProxyEnvironment3Value`.
+
+## Deprecation warnings
+
+* `ecs/cluster`: The parameter `DesiredCapacity` will be removed in v11 (not needed anymore)
+* `jenkins/jenkins2-ha-agents`: The parameter `AgentDesiredCapacity` will be removed in v11 (not needed anymore)
+* `state/rds-aurora-serverless`: The parameter `Engine` will be removed in v11 (replaced by `EngineVersion`)
diff --git a/ec2/ec2-auto-recovery.yaml b/ec2/ec2-auto-recovery.yaml
@@ -42,6 +42,7 @@ Metadata:
       - IngressTcpPort1
       - IngressTcpPort2
       - IngressTcpPort3
+      - ManagedPolicyArns
 Parameters:
   ParentVPCStack:
     Description: 'Stack name of parent VPC stack based on vpc/vpc-*azs.yaml template.'
@@ -134,6 +135,10 @@ Parameters:
     Description: 'Optional port allowing ingress TCP traffic.'
     Type: String
     Default: ''
+  ManagedPolicyArns:
+    Description: 'Optional comma-delimited list of IAM managed policy ARNs to attach to the instance''s IAM role'
+    Type: String
+    Default: ''
 Mappings:
   RegionMap:
     'eu-north-1':
@@ -182,6 +187,7 @@ Conditions:
   HasClientSecurityGroup1: !Not [!Equals [!Ref ParentClientStack1, '']]
   HasClientSecurityGroup2: !Not [!Equals [!Ref ParentClientStack2, '']]
   HasClientSecurityGroup3: !Not [!Equals [!Ref ParentClientStack3, '']]
+  HasManagedPolicyArns: !Not [!Equals [!Ref ManagedPolicyArns, '']]
 Resources:
   RecordSet:
     Condition: HasZone
@@ -271,7 +277,6 @@ Resources:
   InstanceProfile:
     Type: 'AWS::IAM::InstanceProfile'
     Properties:
-      Path: '/'
       Roles:
       - !Ref IAMRole
   IAMRole:
@@ -282,13 +287,23 @@ Resources:
         Statement:
         - Effect: Allow
           Principal:
-            Service:
-            - 'ec2.amazonaws.com'
-          Action:
-          - 'sts:AssumeRole'
-      Path: '/'
-      ManagedPolicyArns: !If [HasSystemsManagerAccess, ['arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'], []] # TODO get rid of managed policy
+            Service: 'ec2.amazonaws.com'
+          Action: 'sts:AssumeRole'
+      ManagedPolicyArns: !If [HasManagedPolicyArns, !Split [',', !Ref ManagedPolicyArns], !Ref 'AWS::NoValue']
       Policies:
+      - !If
+        - HasSystemsManagerAccess
+        - PolicyName: ssm
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Action:
+              - 'ssmmessages:*' # SSM Agent by https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              - 'ssm:UpdateInstanceInformation' # SSM agent by https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              - 'ec2messages:*' # SSM Session Manager by https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              Resource: '*'
+        - !Ref 'AWS::NoValue'
       - PolicyName: logs
         PolicyDocument:
           Version: '2012-10-17'

diff --git a/ecs/cluster.yaml b/ecs/cluster.yaml
@@ -34,6 +34,7 @@ Metadata:
       - KeyName
       - IAMUserSSHAccess
       - SystemsManagerAccess
+      - ManagedPolicyArns
     - Label:
         default: 'Load Balancer Parameters'
       Parameters:
@@ -108,6 +109,10 @@ Parameters:
     AllowedValues:
     - true
     - false
+  ManagedPolicyArns:
+    Description: 'Optional comma-delimited list of IAM managed policy ARNs to attach to the instance''s IAM role'
+    Type: String
+    Default: ''
   SubnetsReach:
     Description: 'Should the cluster have direct access to the Internet or do you prefer private subnets with NAT?'
     Type: String
@@ -244,6 +249,7 @@ Conditions:
   HasClientSecurityGroup1: !Not [!Equals [!Ref ParentClientStack1, '']]
   HasClientSecurityGroup2: !Not [!Equals [!Ref ParentClientStack2, '']]
   HasClientSecurityGroup3: !Not [!Equals [!Ref ParentClientStack3, '']]
+  HasManagedPolicyArns: !Not [!Equals [!Ref ManagedPolicyArns, '']]
 Resources:
   Cluster:
     Type: 'AWS::ECS::Cluster'
@@ -255,7 +261,6 @@ Resources:
   InstanceProfile:
     Type: 'AWS::IAM::InstanceProfile'
     Properties:
-      Path: '/'
       Roles:
       - !Ref Role
   Role:
@@ -268,9 +273,21 @@ Resources:
           Principal:
             Service: 'ec2.amazonaws.com'
           Action: 'sts:AssumeRole'
-      Path: '/'
-      ManagedPolicyArns: !If [HasSystemsManagerAccess, ['arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM'], []] # TODO get rid of managed policy
+      ManagedPolicyArns: !If [HasManagedPolicyArns, !Split [',', !Ref ManagedPolicyArns], !Ref 'AWS::NoValue']
       Policies:
+      - !If
+        - HasSystemsManagerAccess
+        - PolicyName: ssm
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+            - Effect: Allow
+              Action:
+              - 'ssmmessages:*' # SSM Agent by https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              - 'ssm:UpdateInstanceInformation' # SSM agent by https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              - 'ec2messages:*' # SSM Session Manager by https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              Resource: '*'
+        - !Ref 'AWS::NoValue'
       - PolicyName: ecs
         PolicyDocument:
           Version: '2012-10-17'
@@ -914,11 +931,8 @@ Resources:
         Statement:
         - Effect: Allow
           Principal:
-            Service:
-            - 'autoscaling.amazonaws.com'
-          Action:
-          - 'sts:AssumeRole'
-      Path: '/'
+            Service: 'autoscaling.amazonaws.com'
+          Action: 'sts:AssumeRole'
       Policies:
       - PolicyName: sqs
         PolicyDocument:
@@ -1062,6 +1076,8 @@ Resources:
       - {'Fn::ImportValue': !Sub '${ParentAlertStack}-TopicARN'}
   # scaling based on SchedulableContainers is described in detail here: http://garbe.io/blog/2017/04/12/a-better-solution-to-ecs-autoscaling/
   SchedulableContainersCron:
+    DependsOn:
+    - SchedulableContainersLambdaPolicy
     Type: 'AWS::Events::Rule'
     Properties:
       ScheduleExpression: 'rate(1 minute)'
@@ -1096,8 +1112,6 @@ Resources:
           Principal:
             Service: 'lambda.amazonaws.com'
           Action: 'sts:AssumeRole'
-      ManagedPolicyArns: # TODO get rid of managed policy
-      - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
       Policies:
       - PolicyName: ecs
         PolicyDocument:
@@ -1117,6 +1131,19 @@ Resources:
           - Effect: Allow
             Action: 'cloudwatch:PutMetricData'
             Resource: '*'
+  SchedulableContainersLambdaPolicy:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      Roles:
+      - !Ref SchedulableContainersLambdaRole
+      PolicyName: lambda
+      PolicyDocument:
+        Statement:
+        - Effect: Allow
+          Action:
+          - 'logs:CreateLogStream'
+          - 'logs:PutLogEvents'
+          Resource: !GetAtt 'SchedulableContainersLogGroup.Arn'
   SchedulableContainersLambdaPermission2:
     Type: 'AWS::Lambda::Permission'
     Properties:
@@ -1247,8 +1274,6 @@ Resources:
           Principal:
             Service: 'lambda.amazonaws.com'
           Action: 'sts:AssumeRole'
-      ManagedPolicyArns: # TODO get rid of managed policy
-      - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
       Policies:
       - PolicyName: draininstance
         PolicyDocument:
@@ -1277,7 +1302,23 @@ Resources:
             - 'autoscaling:CompleteLifecycleAction'
             - 'autoscaling:RecordLifecycleActionHeartbeat'
             Resource: !Sub 'arn:${AWS::Partition}:autoscaling:${AWS::Region}:${AWS::AccountId}:autoScalingGroup:*:autoScalingGroupName/${AutoScalingGroup}'
+  DrainInstanceLambdaPolicy:
+    Type: 'AWS::IAM::Policy'
+    Properties:
+      Roles:
+      - !Ref DrainInstanceLambdaRole
+      PolicyName: lambda
+      PolicyDocument:
+        Statement:
+        - Effect: Allow
+          Action:
+          - 'logs:CreateLogStream'
+          - 'logs:PutLogEvents'
+          Resource: !GetAtt 'DrainInstanceLogGroup.Arn'
   DrainInstanceEventSourceMapping:
+    DependsOn:
+    - DrainInstanceLambdaPolicy
+    - DrainInstanceLogGroup
     Type: 'AWS::Lambda::EventSourceMapping'
     Properties:
       BatchSize: 1

diff --git a/ecs/service-cluster-alb.yaml b/ecs/service-cluster-alb.yaml
@@ -278,7 +278,7 @@ Resources:
   ServiceRole:
     Type: 'AWS::IAM::Role'
     Properties:
-      ManagedPolicyArns: # TODO get rid of managed policy
+      ManagedPolicyArns:
       - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
       AssumeRolePolicyDocument:
         Version: '2008-10-17'
@@ -337,7 +337,6 @@ Resources:
           Principal:
             Service: 'application-autoscaling.amazonaws.com'
           Action: 'sts:AssumeRole'
-      Path: '/'
       Policies:
       - PolicyName: ecs
         PolicyDocument:

diff --git a/ecs/service-dedicated-alb.yaml b/ecs/service-dedicated-alb.yaml
@@ -350,7 +350,7 @@ Resources:
   ServiceRole:
     Type: 'AWS::IAM::Role'
     Properties:
-      ManagedPolicyArns: # TODO get rid of managed policy
+      ManagedPolicyArns:
       - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole'
       AssumeRolePolicyDocument:
         Version: '2008-10-17'
@@ -410,7 +410,6 @@ Resources:
           Principal:
             Service: 'application-autoscaling.amazonaws.com'
           Action: 'sts:AssumeRole'
-      Path: '/'
       Policies:
       - PolicyName: ecs
         PolicyDocument:

diff --git a/fargate/service-cloudmap.yaml b/fargate/service-cloudmap.yaml
@@ -377,9 +377,9 @@ Resources:
       DnsConfig:
         DnsRecords:
         - Type: A
-          TTL: '30'
+          TTL: 30
         - Type: SRV
-          TTL: '30'
+          TTL: 30
         NamespaceId: {'Fn::ImportValue': !Sub '${ParentCloudMapStack}-NamespaceID'}
         RoutingPolicy: MULTIVALUE
       HealthCheckCustomConfig: