Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Organization UseCase - Reduce IAM privileges scope of SysdigSecureForCloudRole #77

Open
Chili-Man opened this issue Mar 29, 2022 · 3 comments
Open

Organization UseCase - Reduce IAM privileges scope of SysdigSecureForCloudRole #77

Chili-Man opened this issue Mar 29, 2022 · 3 comments

Comments

@Chili-Man
Copy link

I'm not sure why Sysdig Secure needs to have full admin access to every single AWS account to run the cloud-connector (for the organizational setup). Looking through the modules, it really doesn't seem that it needs access to everything, which is concerning since the ECS tasks assume this role. The principle of least privilege should be applied to this particular role and just scoped to the AWS IAM permissions it needs.
@wideawakening
Copy link
Contributor

wideawakening commented Apr 1, 2022
edited
Loading

hey @Chili-Man, thanks for pointing that out.

organizational setup is the most complicated one and we may need to clarify / pin permissions better.
i guess you're referencing to the default organizational OrganizationAccountAccessRole usage.

just updated the org example readme to clarify its usage better, but as stated, it's just the default suggestion.

An specific role is required, to enable Sysdig to impersonate and be able to provide
- For the scanning feature, the ability to pull ECR hosted images when they're allocated in a different account
- A solution to resolve current limitation when accessing an S3 bucket in a different region than where it's being called from

let us know if we can clarify it better or got any better alternative suggestion

@moustafab
Copy link

moustafab commented Apr 26, 2022
edited
Loading

@wideawakening I was just thinking/considering the same thing as OP and I would love if you could document a permission set that can be used to create a role for cloud-connector in sub accounts with the principle of least privilege in mind. That way we could provision a role to be assumed in our sub-accounts and provide the alternate role without having to go through everything done here (and hopefully it could be maintained with any changes to secure-for-cloud needs).

@wideawakening wideawakening changed the title Reduce IAM privileges scope of SysdigSecureForCloudRole Organization UseCase - Reduce IAM privileges scope of SysdigSecureForCloudRole May 11, 2022
@wideawakening
Copy link
Contributor

wideawakening commented May 11, 2022
edited
Loading

  • added some insights for the per-member custom role for scanning feature.
  • also documented a bit more overall permissions

will be digging more into this topic soon.

https://github.com/sysdiglabs/terraform-aws-secure-for-cloud#required-permissions

https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/organizational/README.md#role-summary

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Chili-Man @wideawakening @moustafab