Limit IAM instance policy for master nodes

nonlive · Jul 24, 2017 · ac511c7 · ac511c7
1 parent 71e3915
commit ac511c7
Showing 1 changed file with 21 additions and 22 deletions.
diff --git a/pkg/cloudprovider/providers/aws/cloudformation_templates.go b/pkg/cloudprovider/providers/aws/cloudformation_templates.go
@@ -390,25 +390,6 @@ Resources:
             Effect: Allow
             Action:
               - autoscaling:DescribeAutoScalingGroups
-              - ec2:CreateTags
-              - ec2:DescribeTags
-              - ec2:DescribeInstances
-          - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}"
-            Effect: Allow
-            Action:
-              - "s3:List*"
-          - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}/*"
-            Effect: Allow
-            Action:
-              - "s3:Get*"
-          - Resource:
-              - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*"
-            Effect: Allow
-            Action:
-              - cloudformation:DescribeStacks
-          - Resource: "*"
-            Effect: Allow
-            Action:
               - ec2:AttachNetworkInterface
               - ec2:AttachVolume
               - ec2:AuthorizeSecurityGroupEgress
@@ -435,15 +416,33 @@ Resources:
               - ec2:ModifyNetworkInterfaceAttribute
               - ec2:RevokeSecurityGroupEgress
               - ec2:RevokeSecurityGroupIngress
-              - elasticloadbalancing:ConfigureHealthCheck
               - elasticloadbalancing:Create*
+              - elasticloadbalancing:Describe*
+          - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}"
+            Effect: Allow
+            Action:
+              - "s3:List*"
+          - Resource: "arn:aws:s3:::{{ .AssetsBucketName }}/*"
+            Effect: Allow
+            Action:
+              - "s3:Get*"
+          - Resource:
+              - Fn::Sub: "arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{{ .StackName }}/*"
+            Effect: Allow
+            Action:
+              - cloudformation:DescribeStacks
+          - Resource: "*"
+            Effect: Allow
+            Action:
+              - elasticloadbalancing:ConfigureHealthCheck
               - elasticloadbalancing:Delete*
               - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
-              - elasticloadbalancing:DescribeLoadBalancerAttributes
-              - elasticloadbalancing:DescribeLoadBalancers
               - elasticloadbalancing:ModifyLoadBalancerAttributes
               - elasticloadbalancing:RegisterInstancesWithLoadBalancer
               - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
+            Condition:
+              StringEquals:
+                'elasticloadbalancing:ResourceTag/cluster-name': "{{ .MasterPool.ClusterName }}"
 
 {{ $masterPool := .MasterPool -}}
 {{ $userData := .UserData -}}