feat: tighten permissions on task/execution role

Remove named based resource permissions in task role. Folks can use addons feature to add arbitrary permissions to their task roles. Add conditions to execution role to only pull secrets and params that are tagged with copilot tags.
aws · Jun 25, 2020 · b67b91e · b67b91e
1 parent 0e3ff6a
commit b67b91e
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 54 deletions.
diff --git a/templates/services/common/cf/executionrole.yml b/templates/services/common/cf/executionrole.yml
@@ -15,11 +15,25 @@ ExecutionRole:
             - Effect: 'Allow'
               Action:
                 - 'ssm:GetParameters'
-                - 'secretsmanager:GetSecretValue'
-                - 'kms:Decrypt'
               Resource:
                 - !Sub 'arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/*'
+              Condition:
+                StringEquals:
+                  'ssm:ResourceTag/copilot-application': !Sub '${AppName}'
+                  'ssm:ResourceTag/copilot-environment': !Sub '${EnvName}'
+            - Effect: 'Allow'
+              Action:
+                - 'secretsmanager:GetSecretValue'
+              Resource:
                 - !Sub 'arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:*'
+              Condition:
+                StringEquals:
+                  'secretsmanager:ResourceTag/copilot-application': !Sub '${AppName}'
+                  'secretsmanager:ResourceTag/copilot-environment': !Sub '${EnvName}'
+            - Effect: 'Allow'
+              Action:
+                - 'kms:Decrypt'
+              Resource:
                 - !Sub 'arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*'
     ManagedPolicyArns:
-      - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
+      - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy'
diff --git a/templates/services/common/cf/taskrole.yml b/templates/services/common/cf/taskrole.yml
@@ -25,54 +25,3 @@ TaskRole:
                 StringEquals:
                   'iam:ResourceTag/copilot-application': !Sub '${AppName}'
                   'iam:ResourceTag/copilot-environment': !Sub '${EnvName}'
-      - PolicyName: 'AllowPrefixedResources'
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: 'Allow'
-              Action: '*'
-              Resource:
-                - !Sub 'arn:aws:s3:::${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:elasticache:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:redshift:${AWS::Region}:${AWS::AccountId}:*:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:rds:${AWS::Region}:${AWS::AccountId}:*:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:es:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:sns:${AWS::Region}:${AWS::AccountId}:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:sqs:${AWS::Region}:${AWS::AccountId}:${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:kinesis:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:firehose:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-                - !Sub 'arn:aws:kinesisanalytics:${AWS::Region}:${AWS::AccountId}:*/${AppName}-${EnvName}-*'
-      - PolicyName: 'AllowTaggedResources' # See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_actions-resources-contextkeys.html
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: 'Allow'
-              Action: '*'
-              Resource: '*'
-              Condition:
-                StringEquals:
-                  'aws:ResourceTag/copilot-application': !Sub '${AppName}'
-                  'aws:ResourceTag/copilot-environment': !Sub '${EnvName}'
-            - Effect: 'Allow'
-              Action: '*'
-              Resource: '*'
-              Condition:
-                StringEquals:
-                  'secretsmanager:ResourceTag/copilot-application': !Sub '${AppName}'
-                  'secretsmanager:ResourceTag/copilot-environment': !Sub '${EnvName}'
-      - PolicyName: 'CloudWatchMetricsAndDashboard'
-        PolicyDocument:
-          Version: '2012-10-17'
-          Statement:
-            - Effect: 'Allow'
-              Action:
-                - 'cloudwatch:PutMetricData'
-              Resource: '*'
-            - Effect: 'Allow'
-              Action:
-                - 'cloudwatch:GetDashboard'
-                - 'cloudwatch:ListDashboards'
-                - 'cloudwatch:PutDashboard'
-                - 'cloudwatch:ListMetrics'
-              Resource: '*'