Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refine support and trustedadvisor required IAM permissions #457

Closed
bergkampsliew opened this issue Jan 10, 2020 · 3 comments
Closed

Refine support and trustedadvisor required IAM permissions #457

bergkampsliew opened this issue Jan 10, 2020 · 3 comments

Comments

@bergkampsliew
Copy link
Contributor

Based on the required IAM permissions to run awslimitchecker as documented https://awslimitchecker.readthedocs.io/en/latest/iam_policy.html
the list has support:* and that will allow case creation and other write actions
https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssupport.html

While older ticket #39 mentioned about the requirement of having support:* , but I don't read that anymore in the latest documentation.
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssupport.html
[2] https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awstrustedadvisor.html

Suggestion is to only include required actions for trustedadvisor purpose as below.
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorCheckResult
support:DescribeTrustedAdvisorCheckSummaries
support:DescribeTrustedAdvisorChecks
support:RefreshTrustedAdvisorCheck

On the same note (based on [1]) , noticed this line - "The "trustedadvisor:" actions apply only to Trusted Advisor in the AWS Console. "
I believe awslimitchecker does not need "console access" ? hence, below actions can be removed from the IAM actions list?
"trustedadvisor:Describe",
"trustedadvisor:RefreshCheck"
@jantman
Copy link
Owner

jantman commented Jan 12, 2020

@bergkampsliew Thanks for bringing this to my attention.

I'm going to need to dig into this a bit more... as of the last time I looked into this (when 8.0.0 was released on November 3, 2019) Trusted Advisor is only still needed for 2 things:

  • GovCloud and China regions/partitions
  • SES sending quota

If Service Quotas now has support for SES limits, it's probably worth limiting Trusted Advisor to only run in regions/partitions that require it, and removing the support/TA permissions alltogether.

That being said, the recommended IAM policy for awslimitchecker is just that, recommended. You can certainly make those changes to lock down the support API in your own deployment, but I likely won't cut a new release just for this update.

@bergkampsliew
Copy link
Contributor Author

thanks for letting know on the TA usage, @jantman and yes, understood on the recommended IAM policy is simply just a recommendation.
anyway it's not that a critical issue, take your time :-)

@jantman
Copy link
Owner

jantman commented Sep 22, 2020

This has been fixed in 9.0.0, which is now live on PyPI and on the Docker Hub. Thank you so much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jantman @bergkampsliew