Streisand: Use reduced privilege Amazon user

Created on 20 Dec 2016  路  6Comments  路  Source: StreisandEffect/streisand

Right now, the root account's API key is used. Instead the recommendation should be to create an IAM role with just the minimal privileges required.
I don't know enough Ansible to go through and dig out everything the scripts do to produce this list and at least add it to the docs.

areprovisioning kindocs kinfeature kinsecurity provideamazon statuhelp-wanted

Most helpful comment

Well, here's a starting point.

Testing so far - I've used it to create an image in the default VPC & subnet.
streisandPolicy.json.zip

All 6 comments

@tomchiverton AFAIK you can use the credentials of _any_ IAM user when creating streisand hosts. It doesn't have to be the root account as long as that particular user has the appropriate permissions.

Are you asking for some documentation on which permissions specifically this user should have?

Exactly. Ideally an IAM role that can be imported.

I found that the built in 'full EC2' role is sufficient, but clearly over privileged still.

Tom
Sent from my phone.

On 20 December 2016 22:50:19 GMT+00:00, David Wittman notifications@github.com wrote:

@tomchiverton AFAIK you can use the credentials of _any_ IAM user when
creating streisand hosts. It doesn't have to be the root account as
long as that particular user has the appropriate permissions.

Are you asking for some documentation on which permissions specifically
this user should have?

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/jlund/streisand/issues/461#issuecomment-268382132

It may be a good idea to spell out how to create a specific IAM user with API keys specifically for streisand.

I'm happy to help put together a low privilege policy if that would be useful.

Yes, that would be awesome!

Tom
Sent from my phone.

On 9 January 2017 14:58:02 GMT+00:00, Martin Lee notifications@github.com wrote:

It may be a good idea to spell out how to create a specific IAM user
with API keys specifically for streisand.

I'm happy to help put together a low privilege policy if that would be
useful.

--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
https://github.com/jlund/streisand/issues/461#issuecomment-271304975

Well, here's a starting point.

Testing so far - I've used it to create an image in the default VPC & subnet.
streisandPolicy.json.zip

Was this page helpful?
0 / 5 - 0 ratings