Skip to content

🔒 Improve AWS Cloud IAM policy security #839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kenibrewer wants to merge 12 commits into
base: master
Choose a base branch
from
Open

🔒 Improve AWS Cloud IAM policy security #839

Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
e764a5b
🔒 improve AWS Cloud IAM policy security by restricting resource scopes
kenibrewer Sep 18, 2025
e265312
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Nov 27, 2025
1e71015
Update aws-cloud.md
justinegeffen Nov 27, 2025
d57f632
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Dec 11, 2025
40bbee4
Update platform-cloud/docs/compute-envs/aws-cloud.md
justinegeffen Jan 23, 2026
d1f43ae
Update platform-cloud/docs/compute-envs/aws-cloud.md
justinegeffen Jan 23, 2026
c219b70
Update platform-cloud/docs/compute-envs/aws-cloud.md
justinegeffen Jan 23, 2026
b61badf
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Jan 23, 2026
4425150
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Jan 23, 2026
a470bb2
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Jan 23, 2026
e57d4d4
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Jan 24, 2026
136c8bd
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Jan 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 55 additions & 8 deletions platform-cloud/docs/compute-envs/aws-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,21 @@ The following permissions are required to provision resources in the AWS account
"iam:CreateInstanceProfile",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:TagRole",
"iam:TagInstanceProfile"
],
"Resource": "*"
"Resource": [
"arn:aws:iam::*:role/TowerForge-*",
"arn:aws:iam::*:instance-profile/TowerForge-*"
]
},
{
"Sid": "AwsCloudCreatePassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/TowerForge-*"
}
]
}
Expand Down Expand Up @@ -124,15 +134,49 @@ The following permissions are required to launch pipelines, run Studio sessions,
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AwsCloudLaunch",
"Sid": "AwsCloudLaunchEC2",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:TerminateInstances",
"ec2:DeleteTags",
"logs:GetLogEvents",
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:image/*"
Comment on lines +145 to +151
Copy link
Contributor

@stefanoboriero stefanoboriero Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really any different than using *? Actions are anyhow not applicable to all resource types, so defining individual resource types still with a star permission doesn't seem to change much the scope of the actual permissions.

For example, with the current config I can't use ec2:RunInstances on a Kinesis stream, because the action already carries the scope of what resource type it can be taken against.

On the other hand I get this might have a placebo effect if someone reads it through without giving it much thought, it seems more scoped.

Copy link
Contributor

@justinegeffen justinegeffen Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can this be addressed in a separate PR? Or is it a blocker to merging this PR?

]
},
{
"Sid": "AwsCloudLaunchInstances",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
Copy link
Contributor

@stefanoboriero stefanoboriero Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you test this? AWS Docs say that using the ec2:ResourceTag/Name condition key is not supported for action ec2:DescribeInstances. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions.

Copy link
Contributor

@justinegeffen justinegeffen Jan 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kenibrewer, following up on this so we can merge this PR. :)

"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "TowerForge-*"
}
}
},
{
"Sid": "AwsCloudLaunchLogs",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:*:log-stream:*"
},
{
"Sid": "AwsCloudLaunchS3",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
Expand Down Expand Up @@ -162,7 +206,10 @@ The following permissions are required to remove resources created by Seqera whe
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*"
"Resource": [
"arn:aws:iam::*:role/TowerForge-*",
"arn:aws:iam::*:instance-profile/TowerForge-*"
]
}
]
}
Expand Down