Severe security vulnerability scanned by ScoutSuite on runner agent policy #368
Comments
|
Have you tried to remove this action and see what happens? EDIT: Did it. Let's wait >24h and some hundred jobs and check what happens. |
|
@kayman-mk, functionality-wise, nothing happened on our side. Let us confirm from your run. |
|
I'd like to try it again on monday as I updated to 4.30.0 and removed the IamPassRole. I had some troubles with the agents not being able to create the runners. Might they need this policy to pass the role to the runner (not 100% sure what this policy is good for)? |
|
From the top of my head the IAM pass role is required on the agent instance to pass the role to the docker machine instances. |
|
@npalm, I think so too. Had some problems to get the runners started without the iam:PassRole policy. May be we can limit this policy to the spcific role passed to the docker machine runner instance? |
|
@kayman-mk Sounds good to me to limit the passrole as much as possible. Seems you can limit the passrole for a specif resource, see https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html |
|
@narenaryan As soon as the PR gets merged, could you please recheck? At least AWS Config is not complaining about the policy. And we can't simply remove it. |
npalm
added
good first issue
|
@narenaryan Did you run your security check again? iam:PassRole has been limited to the role which is passed and no longer shows "*". This has been release with 4.31.1 |
|
@narenaryan Did you had time to check the security issue? |
|
Hi @npalm, sorry for the delay, I am on vacation now. I will pass this to my team to get the role re-scanned. |
|
@narenaryan Any news here? |
|
@narenaryan Any news here or can the issue be closed? |
|
I won't be close to my laptop the next weeks, so no updates from me |
|
Closed due to missing feedback. Should have been fixed some months ago. Please reopen the issue if still valid. |
Hi,
We are using
terraform-aws-gitlab-runnnerto spin up GitLab runners on our AWS account. As part of security auditing, there was a severe alert raised on this policy created by terraform module: https://github.com/npalm/terraform-aws-gitlab-runner/blob/develop/policies/instance-docker-machine-policy.json#L21The problem lies with permitting
IamPassroleaction on all resources. As per Access Advisor AWS, we can confirm that this action is not being used at all.Therefore, can we remove this action from the policy to make the infrastructure more secure? If you think it should be fine, can I give a PR for that?
The text was updated successfully, but these errors were encountered: