Find way to avoid recommending iam:PassRole along with ec2:RunInstances permissions #327
Comments
chadlwilson
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the plugin recommends the need to grant both these permissions so the plugin can launch instances, and I believe otherwise manage ECS tasks.
This makes the role given to the ECS plugin a combination which can support privilege escalation, as theoretically the plugin could escalate privileges by launching an instance with an arbitrary existing role.
This is summarised somewhat at https://www.tenable.com/blog/auditing-iampassrole-a-problematic-privilege-escalation-permission but will be highlighted by some AWS-aware security tooling.
There is probably a need to audit usage and figure out how to lock down the permission to specific target services and ideally roles that can be passed, so the recommended default is more minimal.
https://gist.github.com/noamsdahan/928aafbcca71f95b07472f22e35dc93c may be interesting in highlighting the pieces of the plugin that may need to pass roles (
ecsandec2) in particular.Things ECS plugin does that might need this:
ec2:RunInstanceswithIamInstanceProfile(can be configured on cluster profile)ec2:RequestSpotInstanceswithIamInstanceProfile(can be configured on cluster profile)ecs:RegisterTaskDefinitionwithtaskRoleArn(can be configured on cluster profile)Other notes
IamInstanceProfilefor instances passed is the one within Cluster profile configuration. It has some bare minimum permissions to work with ECS but can be user customised. Perhaps the docs could suggest a specific roleTaskRoleArnfor tasks passed are the ones within Elastic profile configs. This is optional to be used.Something like this is better and probably enough:
ManageEC2Instances:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ec2:runInstances", "ec2:createTags", "ec2:terminateInstances", "ec2:describeInstances", "ec2:describeSubnets", "ec2:stopInstances", "ec2:startInstances", "ec2:deleteTags", "ec2:createVolume", "ec2:attachVolume", "ec2:requestSpotInstances", "ec2:describeSpotInstanceRequests" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ # <-- List of IAM roles I want to use as instance profile(s) for various cluster profiles (or use wildcards) "arn:aws:iam::123456789:role/build-gocd-GoCDEC2OptimizedRole-1C4661VGY8YE" ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ec2.amazonaws.com" ] } } } ] }ManageECSInstances:
{ "Version": "2012-10-17", "Statement": [ { "Action": [ "ecs:DescribeClusters", "ecs:DeregisterContainerInstance", "ecs:DescribeContainerInstances", "ecs:ListContainerInstances", "ecs:RegisterTaskDefinition", "ecs:DeregisterTaskDefinition", "ecs:DeleteTaskDefinitions", "ecs:StartTask", "ecs:StopTask", "ecs:ListTasks", "ecs:DescribeTasks", "ecs:DescribeTaskDefinition" ], "Resource": [ "*" ], "Effect": "Allow" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": [ # <-- List of IAM roles I want to give as task-role-arns on elastic profiles when launching various agents (or use wildcards) ], "Condition": { "StringEquals": { "iam:PassedToService": [ "ecs.amazonaws.com" ] } } } ] }The text was updated successfully, but these errors were encountered: