Skip to content

🔒 Improve AWS Cloud IAM policy security #839

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
kenibrewer wants to merge 4 commits into
base: master
Choose a base branch
from
Open

🔒 Improve AWS Cloud IAM policy security #839

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e764a5b
🔒 improve AWS Cloud IAM policy security by restricting resource scopes
kenibrewer Sep 18, 2025
e265312
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Nov 27, 2025
1e71015
Update aws-cloud.md
justinegeffen Nov 27, 2025
d57f632
Merge branch 'master' into docs/aws-cloud-iam-policy-security
justinegeffen Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 55 additions & 8 deletions platform-cloud/docs/compute-envs/aws-cloud.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,11 +83,21 @@ The following permissions are required to provision resources in the AWS account
"iam:CreateInstanceProfile",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:TagRole",
"iam:TagInstanceProfile"
],
"Resource": "*"
"Resource": [
"arn:aws:iam::*:role/TowerForge*",
"arn:aws:iam::*:instance-profile/TowerForge*"
]
},
{
"Sid": "AwsCloudCreatePassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/TowerForge*"
Comment on lines +90 to +100
Copy link
Member

@bebosudo bebosudo Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"arn:aws:iam::*:role/TowerForge*",
"arn:aws:iam::*:instance-profile/TowerForge*"
]
},
{
"Sid": "AwsCloudCreatePassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/TowerForge*"
"arn:aws:iam::*:role/TowerForge-*",
"arn:aws:iam::*:instance-profile/TowerForge-*"
]
},
{
"Sid": "AwsCloudCreatePassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/TowerForge-*"

}
]
}
Expand Down Expand Up @@ -124,15 +134,49 @@ The following permissions are required to launch pipelines, run Studio sessions,
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AwsCloudLaunch",
"Sid": "AwsCloudLaunchEC2",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:TerminateInstances",
"ec2:DeleteTags",
"logs:GetLogEvents",
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:image/*"
Comment on lines +145 to +151
Copy link
Contributor

@stefanoboriero stefanoboriero Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really any different than using *? Actions are anyhow not applicable to all resource types, so defining individual resource types still with a star permission doesn't seem to change much the scope of the actual permissions.

For example, with the current config I can't use ec2:RunInstances on a Kinesis stream, because the action already carries the scope of what resource type it can be taken against.

On the other hand I get this might have a placebo effect if someone reads it through without giving it much thought, it seems more scoped.

]
},
{
"Sid": "AwsCloudLaunchInstances",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
Copy link
Contributor

@stefanoboriero stefanoboriero Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you test this? AWS Docs say that using the ec2:ResourceTag/Name condition key is not supported for action ec2:DescribeInstances. See https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html#amazonec2-actions-as-permissions.

"ec2:TerminateInstances"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/Name": "TowerForge-*"
}
}
},
{
"Sid": "AwsCloudLaunchLogs",
"Effect": "Allow",
"Action": [
"logs:GetLogEvents"
],
"Resource": "arn:aws:logs:*:*:log-group:*:log-stream:*"
Copy link
Contributor

@stefanoboriero stefanoboriero Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same comment as above, this does not seem to move the needle much in terms of actual permission scopes. However here we could be more specific, since we know the exact log group we're interested into, which is tower/nextflow-run

Copy link
Member Author

@kenibrewer kenibrewer Sep 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great. Please implement.

},
{
"Sid": "AwsCloudLaunchS3",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "*"
Expand Down Expand Up @@ -162,7 +206,10 @@ The following permissions are required to remove resources created by Seqera whe
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": "*"
"Resource": [
"arn:aws:iam::*:role/TowerForge*",
"arn:aws:iam::*:instance-profile/TowerForge*"
Comment on lines +210 to +211
Copy link
Member

@bebosudo bebosudo Dec 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"arn:aws:iam::*:role/TowerForge*",
"arn:aws:iam::*:instance-profile/TowerForge*"
"arn:aws:iam::*:role/TowerForge-*",
"arn:aws:iam::*:instance-profile/TowerForge-*"

]
}
]
}
Expand Down