Too much permissions with "iam::aws:policy/AmazonS3FullAccess"

[rupertgti]

Hi!

I detected that terraform use a policy iam::aws:policy/AmazonS3FullAccess that is very "strong" to do several task actions in S3
Normally these kinds of policies are blocked by security because you don't need so powerful permissions.

I detected that it only need permissions in these S3 buckets (in my case) :

            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::logs-*/*",
                "arn:aws:s3:::reports-*/*",
                "arn:aws:s3:::repository-*/*",
                "arn:aws:s3:::vault-*/*"
            ]

The role iam::aws:policy/AmazonS3FullAccess appears in these files:

.terraform/modules/eks-jx/modules/cluster/irsa.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_bucketrepo/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_cert_manager/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_cluster_autoscaler/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_cm_cainjector/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_controllerbuild/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_external_dns/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_pipeline_visualizer/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_secrets-parameter-store/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_secrets-secrets-manager/examples/iam-group-complete/main.tf
.terraform/modules/eks-jx.cluster.iam_assumable_role_tekton_bot/examples/iam-group-complete/main.tf

In my case, I change in every terraform init this files with other policy name less permissive.

I think it is a good modification for security upgrade to create a less permissive policy for this point during the process or to have the possibility to specify the name of the policy in main.tf if you have already created one for it or in variables.tf the current default option.

Thank you

[ankitm123]

I will change that. Thanks for the detailed issue.

[ankitm123]

So, all of those roles which have wide access, also have an option where you can use ur own role (https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/variables.tf#L478), and customize it as much as u want (it's what I also do at work).
So the tekton role will be used in the pipeline, and it's not possible for us to know ahead of time, what kind of things the end users will be doing with the jx pipelines (they may have tasks where they want to create a bucket, run some tests with it, and then delete it), I think that was the motivation behind some of these being wide open.
For security/production purposes, I would highly recommend managing the iam roles outside of this module by setting create_tekton_role to false (in case of tekton, similar for other roles). Does this help? Also this applies only for tekton, I have to look into the other roles.

EDIT: Having said that, this does not make sense to me: https://github.com/jenkins-x/terraform-aws-eks-jx/blob/master/modules/cluster/irsa.tf#L232, and I will open a PR to fix it.

[robervexcel]

@ankitm123 I appreciate your opinion. By this, I would suggest permit choose the name of the policy of this S3 access if you create or use another (like vpc_id in variable.tf file or cluster_name, or other choosable options), and by default, if you don't write this, the process using iam::aws:policy/AmazonS3FullAccess

What do you think?