From 35dd0b7b60947d67d9525203d3adcdc7fac6dd8d Mon Sep 17 00:00:00 2001 From: Kashif Saadat Date: Mon, 24 Jul 2017 18:02:44 +0100 Subject: [PATCH] Limit IAM instance policy for master nodes --- .../providers/aws/cloudformation_templates.go | 43 +++++++++---------- 1 file changed, 21 insertions(+), 22 deletions(-) diff --git a/pkg/cloudprovider/providers/aws/cloudformation_templates.go b/pkg/cloudprovider/providers/aws/cloudformation_templates.go index 0e5ca77..eb21955 100644 --- a/pkg/cloudprovider/providers/aws/cloudformation_templates.go +++ b/pkg/cloudprovider/providers/aws/cloudformation_templates.go @@ -390,25 +390,6 @@ Resources: Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups - - ec2:CreateTags - - ec2:DescribeTags - - ec2:DescribeInstances - - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}" - Effect: Allow - Action: - - "s3:List*" - - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}/*" - Effect: Allow - Action: - - "s3:Get*" - - Resource: - - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*" - Effect: Allow - Action: - - cloudformation:DescribeStacks - - Resource: "*" - Effect: Allow - Action: - ec2:AttachNetworkInterface - ec2:AttachVolume - ec2:AuthorizeSecurityGroupEgress @@ -435,15 +416,33 @@ Resources: - ec2:ModifyNetworkInterfaceAttribute - ec2:RevokeSecurityGroupEgress - ec2:RevokeSecurityGroupIngress - - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:Create* + - elasticloadbalancing:Describe* + - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}" + Effect: Allow + Action: + - "s3:List*" + - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}/*" + Effect: Allow + Action: + - "s3:Get*" + - Resource: + - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*" + Effect: Allow + Action: + - cloudformation:DescribeStacks + - Resource: "*" + Effect: Allow + Action: + - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:Delete* - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - - elasticloadbalancing:DescribeLoadBalancerAttributes - - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer + Condition: + StringEquals: + 'elasticloadbalancing:ResourceTag/cluster-name': "{{ .MasterPool.ClusterName }}" {{ $masterPool := .MasterPool -}} {{ $userData := .UserData -}}