Skip to content

Commit

Permalink
fix: Switch from our home baked SSM policy to the current managed policy
Browse files Browse the repository at this point in the history 
Once upon a time the recommended managed policy allowed full access to all S3 buckets but this craziness is no longer the case and the managed policy is treated with care. We should switch to this, at least in part, because it has some extra permissions needed for AWS Inspector (v2) and new required SSM permissions will be added for us in the future.
  • Loading branch information
@sihil
sihil committed Jan 19, 2023
1 parent 912b4b3 commit 7669b00
Show file tree
Hide file tree
Showing 8 changed files with 134 additions and 387 deletions.
1 change: 0 additions & 1 deletion src/constructs/iam/policies/index.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,4 +9,3 @@ export * from "./parameter-store-read";
export * from "./s3-get-object";
export * from "./s3-put-object";
export * from "./ses";
export * from "./ssm";
42 changes: 0 additions & 42 deletions src/constructs/iam/policies/ssm.test.ts
View file

This file was deleted.

38 changes: 0 additions & 38 deletions src/constructs/iam/policies/ssm.ts
View file

This file was deleted.

221 changes: 70 additions & 151 deletions src/constructs/iam/roles/__snapshots__/instance-role.test.ts.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ exports[`The GuInstanceRole construct should allow additional policies to be spe
"GuStack",
"GuGetS3ObjectsPolicy",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuDistributionBucketParameter",
"GuGetDistributablePolicy",
Expand Down Expand Up @@ -116,6 +115,20 @@ exports[`The GuInstanceRole construct should allow additional policies to be spe
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -201,42 +214,6 @@ exports[`The GuInstanceRole construct should allow additional policies to be spe
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleTestingCB7BD146",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Expand All @@ -247,7 +224,6 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
"gu:cdk:constructs": [
"GuStack",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuLoggingStreamNameParameter",
"GuLogShippingPolicy",
Expand Down Expand Up @@ -425,6 +401,20 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -465,6 +455,20 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -609,45 +613,6 @@ exports[`The GuInstanceRole construct should be possible to create multiple inst
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleMyfirstapp5C11A22B",
},
{
"Ref": "InstanceRoleMysecondapp48DD15D7",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Expand All @@ -658,7 +623,6 @@ exports[`The GuInstanceRole construct should create an additional logging policy
"gu:cdk:constructs": [
"GuStack",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuLoggingStreamNameParameter",
"GuLogShippingPolicy",
Expand Down Expand Up @@ -795,6 +759,20 @@ exports[`The GuInstanceRole construct should create an additional logging policy
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -880,42 +858,6 @@ exports[`The GuInstanceRole construct should create an additional logging policy
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleTestingCB7BD146",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Expand All @@ -926,7 +868,6 @@ exports[`The GuInstanceRole construct should create the correct resources with m
"gu:cdk:constructs": [
"GuStack",
"GuInstanceRole",
"GuSSMRunCommandPolicy",
"GuDescribeEC2Policy",
"GuDistributionBucketParameter",
"GuGetDistributablePolicy",
Expand Down Expand Up @@ -1014,6 +955,20 @@ exports[`The GuInstanceRole construct should create the correct resources with m
],
"Version": "2012-10-17",
},
"ManagedPolicyArns": [
{
"Fn::Join": [
"",
[
"arn:",
{
"Ref": "AWS::Partition",
},
":iam::aws:policy/AmazonSSMManagedInstanceCore",
],
],
},
],
"Path": "/",
"Tags": [
{
Expand Down Expand Up @@ -1099,42 +1054,6 @@ exports[`The GuInstanceRole construct should create the correct resources with m
},
"Type": "AWS::IAM::Policy",
},
"SSMRunCommandPolicy244E1613": {
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply",
"ssm:UpdateInstanceInformation",
"ssm:ListInstanceAssociations",
"ssm:DescribeInstanceProperties",
"ssm:DescribeDocumentParameters",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
],
"Effect": "Allow",
"Resource": "*",
},
],
"Version": "2012-10-17",
},
"PolicyName": "ssm-run-command-policy",
"Roles": [
{
"Ref": "InstanceRoleTestingCB7BD146",
},
],
},
"Type": "AWS::IAM::Policy",
},
},
}
`;
Loading

0 comments on commit 7669b00

Please sign in to comment.