cloudformation: Further tighten IAM permissions.

EC2 and ELB instances are tagged upon creation. Therefore, ensuring that only EC2/ELB instances are deleted when they match the Cluster API Provider AWS tag minimises privileges. This approach cannot be used for other resources as they are tagged after creation. Signed-off-by: Naadir Jeewa <[email protected]>
kubernetes-sigs · Feb 26, 2019 · 0b27511 · 0b27511
1 parent 9971d8b
commit 0b27511
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 2 deletions.
diff --git a/pkg/cloud/aws/services/cloudformation/BUILD b/pkg/cloud/aws/services/cloudformation/BUILD
@@ -12,6 +12,7 @@ go_library(
     deps = [
         "//pkg/cloud/aws/services/awserrors:go_default_library",
         "//pkg/cloud/aws/services/iam:go_default_library",
+        "//pkg/cloud/aws/tags:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/aws:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/service/cloudformation:go_default_library",
         "//vendor/github.com/aws/aws-sdk-go/service/cloudformation/cloudformationiface:go_default_library",

diff --git a/pkg/cloud/aws/services/cloudformation/bootstrap.go b/pkg/cloud/aws/services/cloudformation/bootstrap.go
@@ -27,6 +27,7 @@ import (
 
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/awserrors"
 	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/services/iam"
+	"sigs.k8s.io/cluster-api-provider-aws/pkg/cloud/aws/tags"
 )
 
 const (
@@ -180,10 +181,8 @@ func controllersPolicy(accountID string) *iam.PolicyDocument {
 					"ec2:ReleaseAddress",
 					"ec2:RevokeSecurityGroupIngress",
 					"ec2:RunInstances",
-					"ec2:TerminateInstances",
 					"elasticloadbalancing:CreateLoadBalancer",
 					"elasticloadbalancing:ConfigureHealthCheck",
-					"elasticloadbalancing:DeleteLoadBalancer",
 					"elasticloadbalancing:DescribeLoadBalancers",
 					"elasticloadbalancing:DescribeLoadBalancerAttributes",
 					"elasticloadbalancing:ModifyLoadBalancerAttributes",
@@ -203,6 +202,26 @@ func controllersPolicy(accountID string) *iam.PolicyDocument {
 					"StringLike": map[string]string{"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"},
 				},
 			},
+			{
+				Effect:   iam.EffectAllow,
+				Resource: iam.Resources{"*"},
+				Action: iam.Actions{
+					"ec2:TerminateInstances",
+				},
+				Condition: iam.Conditions{
+					"StringEquals": map[string]string{fmt.Sprintf("ec2:ResourceTag/%s", tags.NameAWSProviderManaged): "true"},
+				},
+			},
+			{
+				Effect:   iam.EffectAllow,
+				Resource: iam.Resources{"*"},
+				Action: iam.Actions{
+					"elasticloadbalancing:DeleteLoadBalancer",
+				},
+				Condition: iam.Conditions{
+					"StringEquals": map[string]string{fmt.Sprintf("elasticloadbalancing:ResourceTag/%s", tags.NameAWSProviderManaged): "true"},
+				},
+			},
 			{
 				Effect: iam.EffectAllow,
 				Resource: iam.Resources{fmt.Sprintf(