Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Restrict instance SSM permissions #3918

Merged
merged 1 commit into from
May 22, 2024
Merged

feat: Restrict instance SSM permissions #3918

merged 1 commit into from
May 22, 2024

Conversation

npalm
Copy link
Member

@npalm npalm commented May 22, 2024

Restrict instance SSM permissions

Previously, EC2 instances could read other instances' tokens (via path .../tokens/...) from SSM parameters. This PR restricts access to only read / delete tokens owned by the instances

@bburky @npalm
Merge pull request from GHSA-w423-qwm2-w2jq
c618711 
* fix: Restrict instance SSM permissions

Previously, EC2 instances could read other instances' tokens (jitconfig
for ephemeral runners and tokens for non-ephemeral runners) from SSM
parameters.

Add an IAM condition to restrict GetParameter access to only instances
with ec2:SourceInstanceARN matching an "InstanceId" resource tag on the
SSM parameter. Update the control-plane Lambda to add the resource tag
containing the instanceId during parameter creation.

Unit tests are updated to check for the created resource tag.

* add missing permissions, escapes and formatting

---------

Co-authored-by: Niek Palm <npalm@users.noreply.github.com>
Co-authored-by: Niek Palm <niek.palm@philips.com>
@npalm npalm requested a review from koendelaat May 22, 2024 12:04
@npalm npalm merged commit 9399cf2 into main May 22, 2024
3 of 4 checks passed
@npalm npalm deleted the security branch May 22, 2024 12:05
@forest-releaser forest-releaser bot mentioned this pull request May 17, 2024
Merged
npalm pushed a commit that referenced this pull request May 22, 2024
@forest-releaser @forest-pr
chore(main): release 5.11.0 (#3913)
87b3c99 
🤖 I have created a release *beep* *boop*
---


##
[5.11.0](v5.10.4...v5.11.0)
(2024-05-22)


### Features

* add variable to configure ebs optimization for runner instances
([#3901](#3901))
([479b779](479b779))
@AlexShemeshWix
* Restrict instance SSM permissions
([#3918](#3918))
([9399cf2](9399cf2))
@bburky


### Bug Fixes

* adding missing permissions to boundaries
([#3873](#3873))
([93e8d27](93e8d27))
@gnawhleinad
* **lambda:** bump the aws group across 1 directory with 6 updates
([#3907](#3907))
([50dda9a](50dda9a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: forest-releaser[bot] <80285352+forest-releaser[bot]@users.noreply.github.com>
Co-authored-by: forest-pr|bot <forest-pr[bot]@users.noreply.github.com>
@claytonolley claytonolley mentioned this pull request May 23, 2024
Closed
@npalm npalm mentioned this pull request Aug 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@koendelaat koendelaat koendelaat approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@npalm @koendelaat @bburky