Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CSPM Doc Update Request] - CSPM AWS - Manual deployment - Assume role- Role ARN use cases to be updated #4579

Closed
smriti0321 opened this issue Jan 8, 2024 · 3 comments · Fixed by #5863
Closed

[CSPM Doc Update Request] - CSPM AWS - Manual deployment - Assume role- Role ARN use cases to be updated #4579

smriti0321 opened this issue Jan 8, 2024 · 3 comments · Fixed by #5863
Assignees
@benironside
Labels
blocked An issue that's currently blocked because it’s pending info or action from stakeholders. Team: Cloud Security AWP + Cloud Security Posture

Comments

@smriti0321
Copy link

smriti0321 commented Jan 8, 2024
edited
Loading

Current behaviour in CSPM AWS- Manual Deployment workflow has recommendation to leave Role ARN as empty, whereas the field is visible to user. After discussing with team internally, quoting few examples in following cases, where it will be relevant to fill in Role ARN:

  1. In case the user doesn’t want to attach the role to the EC2 if other things are running on the machine and they provide credentials in Kibana and want CloudBeat to use a specific role.
  2. If they run it as a deployment on EKS.
  3. And more.

In documentation we can highlight these cases as examples when user would want to populate the Role ARN and not leave it empty.

Screenshot of the existing workflow:
Screenshot 2023-12-25 at 16 46 54
@jmikell821 jmikell821 added the Team: Cloud Security AWP + Cloud Security Posture label Jan 8, 2024
@benironside benironside added the blocked An issue that's currently blocked because it’s pending info or action from stakeholders. label Jun 6, 2024
@smriti0321
Copy link
Author

@kfirpeled Can someone from team provide other examples of when user would want to populate the Role ARN and not leave it empty. Thanks.

@kfirpeled
Copy link

When it comes to the credentials part, @oren-zohar 's team is the best fit to answer this one.

@romulets
Copy link
Member

I have no actual knowledge about use cases.

But reading the code:

	// Assume IAM role if iam_role config parameter is given
	if beatsConfig.RoleArn != "" {
		addAssumeRoleProviderToAwsConfig(beatsConfig, &awsConfig)
	}

In case a roleArn is provided we are going to assume it, instead of using the role configured in the EC2 instance.

Therefore I assume it's a safety net for cases the EC2 instance role can't be changed. Why could not be changed? As mentioned, maybe the machine is used for multiple things. Or maybe it's a company policy to not attach roles to instances.

@benironside benironside mentioned this issue Oct 25, 2024
Merged
This was referenced Nov 11, 2024
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@benironside benironside

Labels
blocked An issue that's currently blocked because it’s pending info or action from stakeholders. Team: Cloud Security AWP + Cloud Security Posture
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[8.16] Updates CSPM guides to include agentless option elastic/security-docs
5 participants
@romulets @jmikell821 @kfirpeled @benironside @smriti0321