Terraform-provider-aws: Create least privilege IAM policy for a resource or module

Created on 27 Jun 2019 · 3Comments · Source: hashicorp/terraform-provider-aws

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

As a security specialist, I want my Terraform plans to run with the minimum set of IAM privileges. However, it is not clear which AWS IAM actions are required by a Terraform resource or module. The current solutions to this problem are:

read the code to identify which API calls are used and set the related IAM actions (requires a detailed understanding of code)
apply the Terraform plan and use error messages to add IAM actions incrementally (most common solution... but CloudFront deployments - argh)
allow all IAM actions for a given service (not secure)

This feature request is to create a process or method to generate the set of least privilege IAM actions that are required to apply the Terraform plan successfully.

New or Affected Resource(s)

All resources will be impacted. A potential initial solution would be to automatically generate documentation of the IAM actions required for each resource, and add as a section to the Terraform documentation. Future iterations would then automate the IAM policy generation.

enhancement provider

Source

joepindar

👍33

Most helpful comment

There are some tools that do things similar to what @kunickiaj describes, one of them my own (shameless plug):

Being a heavy terraform user, my trigger to start building trailscraper was specifically because I couldn't find a way to figure out which permissions were necessary from terraform itself.
Having worked with many teams who were just adopting IaC practices, IAM is often their biggest struggle: they either spend countless hours figuring out a least-privilege policy by trial-and-error or give up and attach AdministratorAccess. Obviously, neither of those is great so anything terraform can do to improve this situation (even by a tiny bit) will be a huge improvement.

flosell on 21 Aug 2020

🎉4

All 3 comments

I would also be interested in the least privilege policy to _create_ a plan. We have projects shared across teams, where non-infrastructure teams "only" need enough access to modify _specific_ resources, but they do need enough access to terraform plan.

We currently use the second approach, and in this case it is especially painful because someone with enough privileges to use a new kind of resource can inadvertently break planning for many others without noticing.

matthiasr on 2 Jul 2019

👍2

Would love to hear what folks' current strategies are outside of the ones mentioned by OP as those are all pretty painful.

I've been using Cloudtrail logs from a user/role that has fairly high privileges as a bit of a flight recorder. Then querying those logs with Athena to list all of the permissions invoked for an apply+destroy.

I've found this to capture many but not all of them for some reason but does give a pretty good starting point.

Example query:

select distinct eventname, eventsource, eventtype, additionaleventdata, resources, requestparameters, useridentity.arn
from cloudtrail_logs
where 1 = 1
and account = 'xxxxxx'
and region = 'yyyyy'
and year = '2020'
and eventtime > '2020-08-18'
and useridentity.arn LIKE 'arn:aws:sts::<accountid>:assumed-role/TF-xyz/%'

Throw this into a spreadsheet and you can do some auto grouping to show you the services and actions invoked as well as some details of the resource ARNs in some cases.

I'm surprised I don't see more tools around this -- so maybe a good side project to develop a cloudtrail-based flight recorder + policy generator.