From e764a5b0884ced89e880299dc48ec7b3941cf790 Mon Sep 17 00:00:00 2001 From: Ken Brewer Date: Thu, 18 Sep 2025 14:50:23 -0700 Subject: [PATCH 1/5] =?UTF-8?q?=F0=9F=94=92=20improve=20AWS=20Cloud=20IAM?= =?UTF-8?q?=20policy=20security=20by=20restricting=20resource=20scopes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Scope IAM roles and instance profiles to TowerForge* prefix - Add resource-level restrictions for EC2 operations - Split launch policy into granular statements with conditions - Restrict instance operations to TowerForge-* tagged resources 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- platform-cloud/docs/compute-envs/aws-cloud.md | 63 ++++++++++++++++--- 1 file changed, 55 insertions(+), 8 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 65a80a5a9..478a357e2 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -70,11 +70,21 @@ The following permissions are required to provision resources in the AWS account "iam:CreateInstanceProfile", "iam:AttachRolePolicy", "iam:PutRolePolicy", - "iam:PassRole", "iam:TagRole", "iam:TagInstanceProfile" ], - "Resource": "*" + "Resource": [ + "arn:aws:iam::*:role/TowerForge*", + "arn:aws:iam::*:instance-profile/TowerForge*" + ] + }, + { + "Sid": "AwsCloudCreatePassRole", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "arn:aws:iam::*:role/TowerForge*" } ] } @@ -111,15 +121,49 @@ The following permissions are required to launch pipelines, run Studio sessions, "Version": "2012-10-17", "Statement": [ { - "Sid": "AwsCloudLaunch", + "Sid": "AwsCloudLaunchEC2", "Effect": "Allow", "Action": [ "ec2:RunInstances", - "ec2:DescribeInstances", "ec2:CreateTags", - "ec2:TerminateInstances", - "ec2:DeleteTags", - "logs:GetLogEvents", + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*:*:image/*" + ] + }, + { + "Sid": "AwsCloudLaunchInstances", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:TerminateInstances" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/Name": "TowerForge-*" + } + } + }, + { + "Sid": "AwsCloudLaunchLogs", + "Effect": "Allow", + "Action": [ + "logs:GetLogEvents" + ], + "Resource": "arn:aws:logs:*:*:log-group:*:log-stream:*" + }, + { + "Sid": "AwsCloudLaunchS3", + "Effect": "Allow", + "Action": [ "s3:GetObject" ], "Resource": "*" @@ -149,7 +193,10 @@ The following permissions are required to remove resources created by Seqera whe "iam:DetachRolePolicy", "iam:DeleteRolePolicy" ], - "Resource": "*" + "Resource": [ + "arn:aws:iam::*:role/TowerForge*", + "arn:aws:iam::*:instance-profile/TowerForge*" + ] } ] } From 1e71015ad08e3a474c8cdc005beee994a628aa45 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Thu, 27 Nov 2025 19:19:52 +0200 Subject: [PATCH 2/5] Update aws-cloud.md Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 34926cc8d..07bd2fbcf 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -62,7 +62,7 @@ The following regions are currently supported: ### Platform credentials -To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform. +To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform. If you use `TOWER_FORGE_PREFIX` you can customize the policy with find and replace. ### Required permissions From 40bbee4dfc8194f2988193f3019e6d59933e80d9 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Fri, 23 Jan 2026 17:21:52 +0200 Subject: [PATCH 3/5] Update platform-cloud/docs/compute-envs/aws-cloud.md Co-authored-by: Alberto Chiusole <1922124+bebosudo@users.noreply.github.com> Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 07bd2fbcf..ee2096c22 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -87,8 +87,8 @@ The following permissions are required to provision resources in the AWS account "iam:TagInstanceProfile" ], "Resource": [ - "arn:aws:iam::*:role/TowerForge*", - "arn:aws:iam::*:instance-profile/TowerForge*" + "arn:aws:iam::*:role/TowerForge-*", + "arn:aws:iam::*:instance-profile/TowerForge-*" ] }, { @@ -97,7 +97,7 @@ The following permissions are required to provision resources in the AWS account "Action": [ "iam:PassRole" ], - "Resource": "arn:aws:iam::*:role/TowerForge*" + "Resource": "arn:aws:iam::*:role/TowerForge-*" } ] } From d1f43ae2d6d48a593a6e65f6d38468d6b9d103a0 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Fri, 23 Jan 2026 17:21:59 +0200 Subject: [PATCH 4/5] Update platform-cloud/docs/compute-envs/aws-cloud.md Co-authored-by: Alberto Chiusole <1922124+bebosudo@users.noreply.github.com> Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index ee2096c22..e0effa34a 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -207,8 +207,8 @@ The following permissions are required to remove resources created by Seqera whe "iam:DeleteRolePolicy" ], "Resource": [ - "arn:aws:iam::*:role/TowerForge*", - "arn:aws:iam::*:instance-profile/TowerForge*" + "arn:aws:iam::*:role/TowerForge-*", + "arn:aws:iam::*:instance-profile/TowerForge-*" ] } ] From c219b70ac3f235a99532f064b97aca63a6112ea2 Mon Sep 17 00:00:00 2001 From: Justine Geffen Date: Fri, 23 Jan 2026 17:22:14 +0200 Subject: [PATCH 5/5] Update platform-cloud/docs/compute-envs/aws-cloud.md Co-authored-by: Alberto Chiusole <1922124+bebosudo@users.noreply.github.com> Signed-off-by: Justine Geffen --- platform-cloud/docs/compute-envs/aws-cloud.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index e0effa34a..8865a49e4 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -62,7 +62,7 @@ The following regions are currently supported: ### Platform credentials -To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform. If you use `TOWER_FORGE_PREFIX` you can customize the policy with find and replace. +To create and launch pipelines or Studio sessions with this compute environment type, you must attach Seqera credentials for the cloud provider. Some permissions are mandatory for the compute environment to be created and function correctly; others are optional and used to pre-fill options in Platform. ### Required permissions