iam guidance

Question

iam guidance

runningman84 opened this issue 9 years ago · 7 comments

Let's image we have two different types of servers: frontends and backends.

Your iam policy would allow an attack to delete all backend snapshots from the frontend?

Answer 1 · 2015-08-19T22:24:06.000Z

Hi there,

You bring up a good point, and your scenario is correct in one sense: if you have a public facing instance that gets hacked/owned, and you have an IAM key saved on that instance which can delete snapshots, then yes, your snapshots would be at risk.

For my clients, I have split this script into two separate scripts:

ebs-snapshot-only.sh - same functionality, but it only has the snapshot functions, and its IAM policy only allows for snapshots to be taken, not deleted.
ebs-snapshot-cleanup.sh - placed on a central command/admin server, secured within a private subnet of a VPC. Only this instance has an IAM policy/role in place to delete snapshots.

I'll place a similar change into the roadmap for the script in this repo, probably as an additional script function (e.g. ebs-snapshot.sh --cleanup, or something similar).

Thanks for your feedback, and if you ever want to submit a pull request, please feel free to!

Answer 2 · 2015-08-20T15:49:25.000Z

Wondering if it would be possible to specify the instance ARN in the resource declaration of the IAM role instead of *, to only give each instance to only it's own snapshots? This would provide much more granular security and would allow you to keep things in one script. If an instance were to be compromised, it could only delete snapshots of itself, regardless of where it is in the stack. I think it's possible to do and will look into it...

Answer 3 · 2015-08-20T16:42:29.000Z

Ha, I had the same idea a few months ago too, and asked Amazon about it. Their response:

"Today, this is not possible because the Amazon EC2 CreateSnapshot and DeleteShapshot actions do not support resource-level permissions (i.e., the resource must be "*")."

Answer 4 · 2015-08-20T19:31:30.000Z

Welp, so much for that idea. Did you happen to make an enhancement request with them? If not (and maybe still if you did) I'll hit up our TAM and see if we can get that on their list.

Answer 5 · 2015-08-20T20:19:26.000Z

I haven't, but great idea! Want to send in a request to your TAM and see what they say?

Answer 6 · 2015-08-20T20:49:07.000Z

Request sent. Will let you know what they come back with.

Answer 7 · 2015-08-21T06:50:25.000Z

If you are already in contact with your TAM please also mention this feature
MinimumSnapshotAge = 7
If we could setup such restriction, we could ensure that an attacker isn't able to delete recent snapshots.