You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The auto created pivot role has the following unrestricted IAM permissions for Glue that are flagged by checkov scans. The permissions need to be restricted to the required resources only instead of '*'.
scan the auto created pivot role cloudformation template file or the custom pivot role cloudformation template file with checkov. The checkov scan will fail with the following message.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy{Hash}
Expected behavior
The Glue IAM permissions on pivot role must be restricted to the required resources only. Once a glue resource (table/dataset, db etc) is added/removed in dataall, the pivot role should be updated to add/remove the glue resource as necessary.
@dlpzx@noah-paige these should managed the same way like bucket permissions .. data.all should only have access to databases that have been imported and nothing else.
mourya-33
changed the title
Restrict Glue IAM permissions for pivot role
Restrict Glue and KMS IAM permissions for pivot role
Apr 19, 2024
Hi @zsaltys @mourya-33 this case is slightly different than S3 bucket IAM policies. In data.all we assume that the Glue databases/tables are governed by LakeFormation, in such case even with, for example "glue:DeleteDatabase" IAM permissions, the pivot role is not able to delete the database if it is lacking those LakeFormation permissions.
All data.all created or imported datasets S3 locations are registered in LakeFormation, so IAM permissions would not be restricting anything on those S3 locations Glue resources. We are trying to be frugal with the IAM permissions of our IAM roles to stay away from service quotas without compromising least-privilege.
The only case where this feature adds value is if there are S3 locations with Glue resources that are NOT governed by LakeFormation in the AWS account and you want to restrict access. If that is the case, we can implement the above or explore newer features of Lake Formation such as hybrid access.
If your case is the last one, let's see how we can implement it in the most efficient way
Describe the bug
The auto created pivot role has the following unrestricted IAM permissions for Glue that are flagged by checkov scans. The permissions need to be restricted to the required resources only instead of '*'.
{
"Action": [
"glue:BatchCreatePartition",
"glue:BatchDeletePartition",
"glue:BatchDeleteTable",
"glue:CreateDatabase",
"glue:CreatePartition",
"glue:CreateTable",
"glue:DeleteDatabase",
"glue:DeletePartition",
"glue:DeleteTable",
"glue:BatchGet*",
"glue:Get*",
"glue:List*",
"glue:SearchTables",
"glue:UpdateDatabase",
"glue:UpdatePartition",
"glue:UpdateTable",
"glue:TagResource",
"glue:DeleteResourcePolicy",
"glue:PutResourcePolicy"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "GlueCatalog"
},
Action:
- 'kms:Decrypt'
- 'kms:Encrypt'
- 'kms:GenerateDataKey*'
- 'kms:GetKeyPolicy'
- 'kms:PutKeyPolicy'
- 'kms:ReEncrypt*'
- 'kms:TagResource'
- 'kms:UntagResource'
Effect: Allow
Resource: '*'
How to Reproduce
scan the auto created pivot role cloudformation template file or the custom pivot role cloudformation template file with checkov. The checkov scan will fail with the following message.
Check: CKV_AWS_111: "Ensure IAM policies does not allow write access without constraints"
FAILED for resource: AWS::IAM::ManagedPolicy.PivotRolePolicy{Hash}
Expected behavior
The Glue IAM permissions on pivot role must be restricted to the required resources only. Once a glue resource (table/dataset, db etc) is added/removed in dataall, the pivot role should be updated to add/remove the glue resource as necessary.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.3
Additional context
The issue relates to #875.
The text was updated successfully, but these errors were encountered: