Best Practice question: restrictive IAM policies for lift #70
Replies: 1 comment 3 replies
-
|
Hey @InvisibleKind! That's interesting, I wasn't aware of that limitation with CloudFront. I have opened the question in the AWS Hero group to see if there's a trick we don't know about. I'll let you know if I get any useful information. It may be also worth asking the AWS support. |
Beta Was this translation helpful? Give feedback.
-
|
Many thanks @mnapoli ! |
Beta Was this translation helpful? Give feedback.
-
|
Nobody on my side had an idea for a workaround. The only thing I could see is:
That is much more work, I admit it. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @mnapoli But it seems, it doesn't take a condition into account, because if I change STAGE to whatever else, the distribution still gets deleted. |
Beta Was this translation helpful? Give feedback.
-
Hello lift and serverless community,
I want to define an IAM policy for publishing static websites as restrictive as possible to exclude issues, when due to a misconfiguration or a bug something different is deleted/updated, than the resource in current serverless stack.
I've used https://github.com/dancrumb/generator-serverless-policy as a starting point and added more rules, specific to CloudFront.
At the end my policy looks like this (stack-name is just a dummy and should be replaced with a real stack name):
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:List*", "cloudformation:Get*", "cloudformation:ValidateTemplate" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:CreateUploadBucket", "cloudformation:DeleteStack", "cloudformation:Describe*", "cloudformation:UpdateStack" ], "Resource": [ "arn:aws:cloudformation:eu-central-1:*:stack/stack-name-*" ] }, { "Effect": "Allow", "Action": [ "lambda:Get*", "lambda:List*", "lambda:CreateFunction" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "s3:GetBucketLocation", "s3:CreateBucket", "s3:DeleteBucket", "s3:ListBucket", "s3:ListBucketVersions", "s3:PutAccelerateConfiguration", "s3:GetEncryptionConfiguration", "s3:PutEncryptionConfiguration", "s3:PutBucketPolicy", "s3:DeleteBucketPolicy" ], "Resource": [ "arn:aws:s3:::stack-name*" ] }, { "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::stack-name*" ] }, { "Effect": "Allow", "Action": [ "cloudfront:CreateCloudFrontOriginAccessIdentity", "cloudfront:GetCloudFrontOriginAccessIdentity", "cloudfront:GetCloudFrontOriginAccessIdentityConfig", "cloudfront:DeleteCloudFrontOriginAccessIdentity", "cloudfront:CreateFunction", "cloudfront:CreateDistribution", "cloudfront:UpdateDistribution", "cloudfront:DeleteDistribution", "cloudfront:TagResource", "cloudfront:Get*", "cloudfront:CreateInvalidation" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudfront:DescribeFunction", "cloudfront:GetFunction", "cloudfront:UpdateFunction", "cloudfront:DeleteFunction", "cloudfront:PublishFunction" ], "Resource": [ "arn:aws:cloudfront::*:function/stack-name-*" ] }, { "Effect": "Allow", "Action": [ "lambda:AddPermission", "lambda:CreateAlias", "lambda:DeleteFunction", "lambda:InvokeFunction", "lambda:PublishVersion", "lambda:RemovePermission", "lambda:Update*" ], "Resource": [ "arn:aws:lambda:eu-central-1:*:function:stack-name-*" ] }, { "Effect": "Allow", "Action": [ "apigateway:GET", "apigateway:POST", "apigateway:PUT", "apigateway:DELETE", "apigateway:PATCH" ], "Resource": [ "arn:aws:apigateway:*::/restapis*", "arn:aws:apigateway:*::/apikeys*", "arn:aws:apigateway:*::/usageplans*" ] }, { "Effect": "Allow", "Action": "kinesis:*", "Resource": [ "arn:aws:kinesis:*:*:stream/stack-name-*-eu-central-1" ] }, { "Effect": "Allow", "Action": [ "iam:GetRole", "iam:CreateRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:DeleteRole" ], "Resource": [ "arn:aws:iam::*:role/stack-name-*-eu-central-1-lambdaRole" ] }, { "Effect": "Allow", "Action": "sqs:*", "Resource": [ "arn:aws:sqs:*:*:stack-name-*-eu-central-1" ] }, { "Effect": "Allow", "Action": [ "cloudwatch:GetMetricStatistics" ], "Resource": [ "*" ] }, { "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:DeleteLogGroup" ], "Resource": [ "arn:aws:logs:eu-central-1:*:*" ], "Effect": "Allow" }, { "Action": [ "logs:PutLogEvents" ], "Resource": [ "arn:aws:logs:eu-central-1:*:*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "logs:DescribeLogStreams", "logs:DescribeLogGroups", "logs:FilterLogEvents" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "events:Put*", "events:Remove*", "events:Delete*" ], "Resource": [ "arn:aws:events:*:*:rule/stack-name-*-eu-central-1" ] }, { "Effect": "Allow", "Action": [ "events:DescribeRule" ], "Resource": [ "arn:aws:events:eu-central-1:*:rule/stack-name-*" ] }, { "Effect": "Allow", "Action": [ "s3:CreateBucket" ], "Resource": [ "arn:aws:s3:::*" ] } ] }This set works, but makes me a bit nervous in a part "cloudfront:UpdateDistribution", "cloudfront:DeleteDistribution" with Resource set to *. Unfortunately I didn't find a way to restrict it somehow, because distribution's ARN doesn't contain a stack-name - it is randomly created.
And if I understand it correct, it is even not possible by design. The only possible value in this case according to CloudFront API permission Docs is *
Are there any best practices, recommendations or tricks on this? Or in other words, how do you configure your IAM roles, especially in a context of lift and cloudfront?
Beta Was this translation helpful? Give feedback.
All reactions