Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement least privilege principle for cloudfront, lambda and db migration stacks #1134

Merged
merged 16 commits into from
Apr 15, 2024
Merged

Implement least privilege principle for cloudfront, lambda and db migration stacks #1134

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
fd331d4
Updated cloudfront.py to restrict IAM permissions by distribution ID
mourya-33 Apr 8, 2024
96924d7
Updated dbmigration.py to restrict permissions for EC2 and Logs
mourya-33 Apr 8, 2024
b738ecd
Updated lambda_api.py to restrict network permissions by VPC
mourya-33 Apr 8, 2024
c4f206e
Updated pipeline.py to restrict network interface permissions by vpc
mourya-33 Apr 8, 2024
c57e14d
Merge branch 'data-dot-all:main' into permission-cleanup-multiple-stacks
mourya-33 Apr 10, 2024
77a64b9
Merge branch 'data-dot-all:main' into permission-cleanup-multiple-stacks
mourya-33 Apr 12, 2024
bab44f8
Updated lambda_api.py to update network interface iam permissions
mourya-33 Apr 12, 2024
3448314
Updated dbmigration.py to update network interface iam permissions
mourya-33 Apr 12, 2024
77d2e80
Updated pipeline.py to update network interface iam permissions
mourya-33 Apr 12, 2024
760c27e
Merge branch 'data-dot-all:main' into permission-cleanup-multiple-stacks
mourya-33 Apr 12, 2024
6095efd
Updated pipeline.py for disabling automatic permissions for documenta…
mourya-33 Apr 12, 2024
95e0538
Updated dbmigration.py to remove redundant resource in permissions an…
mourya-33 Apr 12, 2024
0f2bbe6
Updated cloudfront.py for ruff formatting
mourya-33 Apr 12, 2024
1831c51
Updated lambda_api.py for ruff formatting
mourya-33 Apr 12, 2024
be73bac
Updated pipeline.py for ruff formatting
mourya-33 Apr 12, 2024
6b236da
consolidate cloudfront policy statements
noah-paige Apr 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 12 additions & 2 deletions deploy/stacks/cloudfront.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,9 @@ def __init__(
parameter_name=f'/dataall/{envname}/CloudfrontDistributionBucket',
string_value=cloudfront_bucket.bucket_name,
)

cloudfront_resources = [
f'arn:aws:cloudfront::{self.account}:distribution/{cloudfront_distribution.distribution_id}'
]
self.user_docs_bucket = None
if custom_auth is None:
userguide_docs_distribution, user_docs_bucket = self.build_static_site(
Expand All @@ -189,6 +191,9 @@ def __init__(

self.userguide_docs_distribution = userguide_docs_distribution
self.user_docs_bucket = user_docs_bucket
cloudfront_resources += [
f'arn:aws:cloudfront::{self.account}:distribution/{userguide_docs_distribution.distribution_id}'
]

if userguide_alternate_domain:
route53.ARecord(
Expand Down Expand Up @@ -232,10 +237,15 @@ def __init__(
)
cross_account_deployment_role.add_to_policy(
iam.PolicyStatement(
actions=['cloudfront:CreateInvalidation', 's3:List*'],
actions=['s3:List*'],
resources=['*'],
)
)

cross_account_deployment_role.add_to_policy(
iam.PolicyStatement(actions=['cloudfront:CreateInvalidation'], resources=cloudfront_resources)
)

cross_account_deployment_role.add_to_policy(
iam.PolicyStatement(
actions=[
Expand Down
76 changes: 75 additions & 1 deletion deploy/stacks/dbmigration.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,55 @@ def __init__(
iam.AccountPrincipal(tooling_account_id),
),
)
private_subnets = vpc.select_subnets(subnet_type=ec2.SubnetType.PRIVATE_WITH_NAT)

subnet_resources = []

for subnet in private_subnets.subnets:
subnet_resources.append(f'arn:aws:ec2:{self.region}:{self.account}:subnet/{subnet.subnet_id}')

subnet_iam_condition = {'ec2:Subnet': subnet_resources, 'ec2:AuthorizedService': 'codebuild.amazonaws.com'}

self.build_project_role.attach_inline_policy(
iam.Policy(
self,
f'DBMigrationCBProject{envname}PolicyDocument',
statements=[
iam.PolicyStatement(
effect=iam.Effect.ALLOW,
actions=[
'ec2:CreateNetworkInterface',
'ec2:DeleteNetworkInterface',
],
resources=[
f'arn:aws:ec2:{self.region}:{self.account}:*/*',
],
),
iam.PolicyStatement(
actions=[
'ec2:CreateNetworkInterfacePermission',
],
resources=[
f'arn:aws:ec2:{self.region}:{self.account}:network-interface/*',
],
conditions={
'StringEquals': subnet_iam_condition,
},
),
iam.PolicyStatement(
actions=[
'ec2:DescribeNetworkInterfaces',
'ec2:DescribeSubnets',
'ec2:DescribeSecurityGroups',
'ec2:DescribeDhcpOptions',
'ec2:DescribeVpcs',
],
resources=['*'],
),
],
)
)

self.build_project_role.add_to_policy(
iam.PolicyStatement(
actions=[
Expand Down Expand Up @@ -107,6 +156,29 @@ def __init__(
conditions={'StringEquals': {'sts:AWSServiceName': 'codeartifact.amazonaws.com'}},
),
)
self.build_project_role.add_to_policy(
iam.PolicyStatement(
actions=['logs:CreateLogGroup', 'logs:CreateLogStream', 'logs:PutLogEvents'],
resources=[
f'arn:aws:logs:{self.region}:{self.account}:log-group:/aws/codebuild/{resource_prefix}-{envname}-dbmigration*',
],
)
)

self.build_project_role.add_to_policy(
iam.PolicyStatement(
actions=[
'codebuild:CreateReportGroup',
'codebuild:CreateReport',
'codebuild:UpdateReport',
'codebuild:BatchPutTestCases',
'codebuild:BatchPutCodeCoverages',
],
resources=[
f'arn:aws:codebuild:{self.region}:{self.account}:report-group:{resource_prefix}-{envname}-dbmigration-*',
],
)
)
self.codebuild_sg = ec2.SecurityGroup(
self,
f'DBMigrationCBSG{envname}',
Expand Down Expand Up @@ -135,7 +207,7 @@ def __init__(
environment=codebuild.BuildEnvironment(
build_image=codebuild.LinuxBuildImage.AMAZON_LINUX_2_5,
),
role=self.build_project_role,
role=self.build_project_role.without_policy_updates(),
build_spec=codebuild.BuildSpec.from_object(
dict(
version='0.2',
Expand Down Expand Up @@ -163,3 +235,5 @@ def __init__(
),
security_groups=[self.codebuild_sg],
)

self.db_migration_project.node.add_dependency(self.build_project_role)
74 changes: 60 additions & 14 deletions deploy/stacks/lambda_api.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,12 +68,28 @@ def __init__(

self.esproxy_dlq = self.set_dlq(f'{resource_prefix}-{envname}-esproxy-dlq')
esproxy_sg = self.create_lambda_sgs(envname, 'esproxy', resource_prefix, vpc)

esproxy_loggroup = logs.LogGroup.from_log_group_name(
self, 'esproxyloggroup', f'/aws/lambda/{resource_prefix}-{envname}-esproxy'
)
graphql_loggroup = logs.LogGroup.from_log_group_name(
self, 'graphqlloggroup', f'/aws/lambda/{resource_prefix}-{envname}-graphql'
)
awsworker_loggroup = logs.LogGroup.from_log_group_name(
self, 'awsworkerloggroup', f'/aws/lambda/{resource_prefix}-{envname}-awsworker'
)

self.elasticsearch_proxy_handler = _lambda.DockerImageFunction(
self,
'ElasticSearchProxyHandler',
function_name=f'{resource_prefix}-{envname}-esproxy',
log_group=esproxy_loggroup
if esproxy_loggroup is not None
else logs.LogGroup(
self, 'esproxyloggroup', log_group_name=f'/aws/lambda/{resource_prefix}-{envname}-esproxy'
),
description='dataall es search function',
role=self.create_function_role(envname, resource_prefix, 'esproxy', pivot_role_name),
role=self.create_function_role(envname, resource_prefix, 'esproxy', pivot_role_name, vpc),
code=_lambda.DockerImageCode.from_ecr(
repository=ecr_repository, tag=image_tag, cmd=['search_handler.handler']
),
Expand All @@ -100,8 +116,13 @@ def __init__(
self,
'LambdaGraphQL',
function_name=f'{resource_prefix}-{envname}-graphql',
log_group=graphql_loggroup
if graphql_loggroup is not None
else logs.LogGroup(
self, 'graphqlloggroup', log_group_name=f'/aws/lambda/{resource_prefix}-{envname}-graphql'
),
description='dataall graphql function',
role=self.create_function_role(envname, resource_prefix, 'graphql', pivot_role_name),
role=self.create_function_role(envname, resource_prefix, 'graphql', pivot_role_name, vpc),
code=_lambda.DockerImageCode.from_ecr(
repository=ecr_repository, tag=image_tag, cmd=['api_handler.handler']
),
Expand All @@ -127,8 +148,13 @@ def __init__(
self,
'AWSWorker',
function_name=f'{resource_prefix}-{envname}-awsworker',
log_group=awsworker_loggroup
if awsworker_loggroup is not None
else logs.LogGroup(
self, 'awsworkerloggroup', log_group_name=f'/aws/lambda/{resource_prefix}-{envname}-awsworker'
),
description='dataall aws worker for aws asynchronous tasks function',
role=self.create_function_role(envname, resource_prefix, 'awsworker', pivot_role_name),
role=self.create_function_role(envname, resource_prefix, 'awsworker', pivot_role_name, vpc),
code=_lambda.DockerImageCode.from_ecr(
repository=ecr_repository, tag=image_tag, cmd=['aws_handler.handler']
),
Expand Down Expand Up @@ -192,6 +218,11 @@ def __init__(
self,
f'CustomAuthorizerFunction-{envname}',
function_name=f'{resource_prefix}-{envname}-custom-authorizer',
log_group=logs.LogGroup(
self,
'customauthorizerloggroup',
log_group_name=f'/aws/lambda/{resource_prefix}-{envname}-custom-authorizer',
),
handler='custom_authorizer_lambda.lambda_handler',
code=_lambda.Code.from_asset(
path=custom_authorizer_assets,
Expand Down Expand Up @@ -277,7 +308,7 @@ def create_lambda_sgs(self, envname, name, resource_prefix, vpc):
)
return lambda_sg

def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_name):
def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_name, vpc):
role_name = f'{resource_prefix}-{envname}-{fn_name}-role'

role_inline_policy = iam.Policy(
Expand Down Expand Up @@ -347,6 +378,12 @@ def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_nam
'logs:StartQuery',
'logs:DescribeLogGroups',
'logs:DescribeLogStreams',
'logs:DescribeQueries',
'logs:StopQuery',
'logs:GetQueryResults',
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
],
resources=[
f'arn:aws:s3:::{resource_prefix}-{envname}-{self.account}-{self.region}-resources/*',
Expand All @@ -357,17 +394,7 @@ def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_nam
),
iam.PolicyStatement(
actions=[
'logs:DescribeQueries',
'logs:StopQuery',
'logs:GetQueryResults',
'logs:CreateLogGroup',
'logs:CreateLogStream',
'logs:PutLogEvents',
'ec2:CreateNetworkInterface',
'ec2:DescribeNetworkInterfaces',
'ec2:DeleteNetworkInterface',
'ec2:AssignPrivateIpAddresses',
'ec2:UnassignPrivateIpAddresses',
'xray:PutTraceSegments',
'xray:PutTelemetryRecords',
'xray:GetSamplingRules',
Expand All @@ -378,6 +405,25 @@ def create_function_role(self, envname, resource_prefix, fn_name, pivot_role_nam
],
resources=['*'],
),
iam.PolicyStatement(
actions=[
'ec2:CreateNetworkInterface',
'ec2:DeleteNetworkInterface',
],
resources=[
f'arn:aws:ec2:{self.region}:{self.account}:*/*',
],
),
iam.PolicyStatement(
actions=[
'ec2:AssignPrivateIpAddresses',
'ec2:UnassignPrivateIpAddresses',
],
resources=[
f'arn:aws:ec2:{self.region}:{self.account}:*/*',
],
conditions={'StringEquals': {'ec2:VpcID': f'{vpc.vpc_id}'}},
),
iam.PolicyStatement(
actions=[
'aoss:APIAccessAll',
Expand Down
23 changes: 20 additions & 3 deletions deploy/stacks/pipeline.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -241,16 +241,33 @@ def set_codebuild_iam_roles(self):
'ecr:GetAuthorizationToken',
'ec2:DescribePrefixLists',
'ec2:DescribeManagedPrefixLists',
'ec2:CreateNetworkInterface',
'ec2:DescribeNetworkInterfaces',
'ec2:DeleteNetworkInterface',
'ec2:DescribeSubnets',
'ec2:DescribeSecurityGroups',
'ec2:DescribeDhcpOptions',
'ec2:DescribeVpcs',
],
resources=['*'],
),
iam.PolicyStatement(
actions=[
'ec2:CreateNetworkInterface',
'ec2:DeleteNetworkInterface',
],
resources=[
f'arn:aws:ec2:{self.region}:{self.account}:*/*',
],
),
iam.PolicyStatement(
actions=[
'ec2:AssignPrivateIpAddresses',
'ec2:UnassignPrivateIpAddresses',
],
resources=[
f'arn:aws:ec2:{self.region}:{self.account}:*/*',
],
conditions={'StringEquals': {'ec2:Vpc': f'{self.vpc.vpc_id}'}},
),
iam.PolicyStatement(
actions=[
'codeartifact:GetAuthorizationToken',
Expand Down Expand Up @@ -794,7 +811,7 @@ def set_cloudfront_stage(self, target_env):
'aws s3 sync site/ s3://$bucket',
"aws cloudfront create-invalidation --distribution-id $distributionId --paths '/*'",
],
role=self.expanded_codebuild_role,
role=self.expanded_codebuild_role.without_policy_updates(),
vpc=self.vpc,
),
)
Expand Down
Loading