Limit IAM policy scope for compute nodes

nonlive · Jul 25, 2017 · 5fe8c13 · 5fe8c13
1 parent 7962d8b
commit 5fe8c13
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/pkg/cloudprovider/providers/aws/cloudformation_templates.go b/pkg/cloudprovider/providers/aws/cloudformation_templates.go
@@ -633,13 +633,19 @@ Resources:
         - !Ref InstanceRole
       PolicyDocument:
         Statement:
-          - Resource: "*"
+          - Resource:
+              - Fn::Sub: "arn:aws:ec2:${AWS::Region}:${AWS::AccountId}:instance/*"
             Effect: Allow
             Action:
               - ec2:CreateTags
-              - ec2:DescribeInstances
-              - ec2:DescribeTags
-              - ec2:DescribeVpcs
+            Condition:
+              StringEquals:
+                'ec2:ResourceTag/cluster-name': "{{ .ComputePool.ClusterName }}"
+                'aws:RequestTag/KubeletToken': "Success"
+          - Resource: "*"
+            Effect: Allow
+            Action:
+              - "ec2:Describe*"
           - Resource:
               - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*"
             Effect: Allow