Skip to content

Commit

Permalink
ci: Deny all IMDSv1 to instances (aws#4358)
Browse files Browse the repository at this point in the history
  • Loading branch information
@engedaam
engedaam authored Aug 1, 2023
1 parent e08a862 commit 76fea98
Showing 1 changed file with 21 additions and 38 deletions.
59 changes: 21 additions & 38 deletions test/cloudformation/iam_cloudformation.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -288,9 +288,6 @@ Resources:
- ec2:DescribeVpcs
# Image Permissions
- ec2:DescribeImages
Resource: "*"
- Effect: Allow
Action:
# Tag Permissions
- ec2:CreateTags
- ec2:DeleteTags
Expand Down Expand Up @@ -364,12 +361,7 @@ Resources:
- ec2:DeleteVpc
- ec2:DescribeVpcAttribute
- ec2:ModifyVpcAttribute
Resource: "*"
- Effect: Allow
Action: ec2:RunInstances
Resource: "*"
- Effect: Allow
Action:
- ec2:RunInstances
# Read-Only Permissions to pull ECR images needed by the NodeInstanceRole
- ecr:GetAuthorizationToken
- ecr:BatchCheckLayerAvailability
Expand All @@ -383,15 +375,9 @@ Resources:
- ecr:GetLifecyclePolicyPreview
- ecr:ListTagsForResource
- ecr:DescribeImageScanFindings
Resource: "*"
- Effect: Allow
Action:
# EKS ServiceRole permissions needed for AutoScalingGroups
- autoscaling:DescribeAutoScalingGroups
- autoscaling:UpdateAutoScalingGroup
Resource: "*"
- Effect: Allow
Action:
# EKS ServiceRole permissions needed to handle LoadBalancer
- elasticloadbalancing:AddTags
- elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
Expand Down Expand Up @@ -424,15 +410,9 @@ Resources:
- elasticloadbalancing:RegisterTargets
- elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
- elasticloadbalancing:SetLoadBalancerPoliciesOfListener
Resource: "*"
- Effect: Allow
Action:
- kms:CreateGrant
- kms:GenerateDataKeyWithoutPlaintext
- kms:DescribeKey
Resource: "*"
- Effect: Allow
Action:
# SSM Permissions for AmazonSSMManagedInstanceCore policy applied to the NodeInstanceRole
- ssm:DescribeAssociation
- ssm:GetDeployablePatchSnapshotForInstance
Expand All @@ -449,53 +429,56 @@ Resources:
- ssm:UpdateAssociationStatus
- ssm:UpdateInstanceAssociationStatus
- ssm:UpdateInstanceInformation
Resource: "*"
- Effect: Allow
Action:
# SSM Permissions for AmazonSSMManagedInstanceCore policy applied to the NodeInstanceRole
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
Resource: "*"
- Effect: Allow
Action:
# SSM Permissions for AmazonSSMManagedInstanceCore policy applied to the NodeInstanceRole
- ec2messages:AcknowledgeMessage
- ec2messages:DeleteMessage
- ec2messages:FailMessage
- ec2messages:GetEndpoint
- ec2messages:GetMessages
- ec2messages:SendReply
Resource: "*"
- Effect: Allow
Action:
- sqs:DeleteMessage
- sqs:GetQueueAttributes
- sqs:GetQueueUrl
- sqs:SendMessage
- sqs:ReceiveMessage
- pricing:GetProducts
- ec2:DescribeSpotPriceHistory
- eks:DescribeCluster
Resource: "*"
- Effect: Allow
Action: iam:PassRole
Resource:
- !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-*"
- !GetAtt FISInterruptionRole.Arn
- Effect: Allow
Action:
- pricing:GetProducts
- ec2:DescribeSpotPriceHistory
Resource: "*"
- Effect: Allow
Action: eks:DescribeCluster
Resource: "*"
- Effect: Allow
Action:
- aps:RemoteWrite
- aps:GetSeries
- aps:GetLabels
- aps:GetMetricMetadata
Resource: !Sub "arn:${AWS::Partition}:aps:${AWS::Region}:${AWS::AccountId}:workspace/${PrometheusWorkspaceID}"
# Deny ALL IMDSv1 instance launch
- Effect: Deny
Action:
- ec2:RunInstances
Resource: "*"
Condition:
StringNotEquals:
ec2:MetadataHttpTokens: required
- Effect: Deny
Action:
- ec2:ModifyInstanceMetadataOptions
Resource: "*"
Condition:
StringEquals:
ec2:Attribute: HttpTokens
StringNotEquals:
ec2:Attribute/HttpTokens: required
GithubActionsRole:
Type: AWS::IAM::Role
Properties:
Expand Down

0 comments on commit 76fea98

Please sign in to comment.