From cdd0be7c4478ecfbc1547773e2d1fd48fa456ee7 Mon Sep 17 00:00:00 2001 From: Amanuel Engeda Date: Mon, 31 Jul 2023 17:32:13 -0700 Subject: [PATCH] add deny IMDSv1 to permission boundary --- test/cloudformation/iam_cloudformation.yaml | 59 ++++++++------------- 1 file changed, 21 insertions(+), 38 deletions(-) diff --git a/test/cloudformation/iam_cloudformation.yaml b/test/cloudformation/iam_cloudformation.yaml index e82b983e59bd..cf71de1daa60 100644 --- a/test/cloudformation/iam_cloudformation.yaml +++ b/test/cloudformation/iam_cloudformation.yaml @@ -288,9 +288,6 @@ Resources: - ec2:DescribeVpcs # Image Permissions - ec2:DescribeImages - Resource: "*" - - Effect: Allow - Action: # Tag Permissions - ec2:CreateTags - ec2:DeleteTags @@ -364,12 +361,7 @@ Resources: - ec2:DeleteVpc - ec2:DescribeVpcAttribute - ec2:ModifyVpcAttribute - Resource: "*" - - Effect: Allow - Action: ec2:RunInstances - Resource: "*" - - Effect: Allow - Action: + - ec2:RunInstances # Read-Only Permissions to pull ECR images needed by the NodeInstanceRole - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability @@ -383,15 +375,9 @@ Resources: - ecr:GetLifecyclePolicyPreview - ecr:ListTagsForResource - ecr:DescribeImageScanFindings - Resource: "*" - - Effect: Allow - Action: # EKS ServiceRole permissions needed for AutoScalingGroups - autoscaling:DescribeAutoScalingGroups - autoscaling:UpdateAutoScalingGroup - Resource: "*" - - Effect: Allow - Action: # EKS ServiceRole permissions needed to handle LoadBalancer - elasticloadbalancing:AddTags - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer @@ -424,15 +410,9 @@ Resources: - elasticloadbalancing:RegisterTargets - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer - elasticloadbalancing:SetLoadBalancerPoliciesOfListener - Resource: "*" - - Effect: Allow - Action: - kms:CreateGrant - kms:GenerateDataKeyWithoutPlaintext - kms:DescribeKey - Resource: "*" - - Effect: Allow - Action: # SSM Permissions for AmazonSSMManagedInstanceCore policy applied to the NodeInstanceRole - ssm:DescribeAssociation - ssm:GetDeployablePatchSnapshotForInstance @@ -449,17 +429,11 @@ Resources: - ssm:UpdateAssociationStatus - ssm:UpdateInstanceAssociationStatus - ssm:UpdateInstanceInformation - Resource: "*" - - Effect: Allow - Action: # SSM Permissions for AmazonSSMManagedInstanceCore policy applied to the NodeInstanceRole - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - Resource: "*" - - Effect: Allow - Action: # SSM Permissions for AmazonSSMManagedInstanceCore policy applied to the NodeInstanceRole - ec2messages:AcknowledgeMessage - ec2messages:DeleteMessage @@ -467,28 +441,20 @@ Resources: - ec2messages:GetEndpoint - ec2messages:GetMessages - ec2messages:SendReply - Resource: "*" - - Effect: Allow - Action: - sqs:DeleteMessage - sqs:GetQueueAttributes - sqs:GetQueueUrl - sqs:SendMessage - sqs:ReceiveMessage + - pricing:GetProducts + - ec2:DescribeSpotPriceHistory + - eks:DescribeCluster Resource: "*" - Effect: Allow Action: iam:PassRole Resource: - !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-*" - !GetAtt FISInterruptionRole.Arn - - Effect: Allow - Action: - - pricing:GetProducts - - ec2:DescribeSpotPriceHistory - Resource: "*" - - Effect: Allow - Action: eks:DescribeCluster - Resource: "*" - Effect: Allow Action: - aps:RemoteWrite @@ -496,6 +462,23 @@ Resources: - aps:GetLabels - aps:GetMetricMetadata Resource: !Sub "arn:${AWS::Partition}:aps:${AWS::Region}:${AWS::AccountId}:workspace/${PrometheusWorkspaceID}" + # Deny ALL IMDSv1 instance launch + - Effect: Deny + Action: + - ec2:RunInstances + Resource: "*" + Condition: + StringNotEquals: + ec2:MetadataHttpTokens: required + - Effect: Deny + Action: + - ec2:ModifyInstanceMetadataOptions + Resource: "*" + Condition: + StringEquals: + ec2:Attribute: HttpTokens + StringNotEquals: + ec2:Attribute/HttpTokens: required GithubActionsRole: Type: AWS::IAM::Role Properties: