Página Principal Explorar Ajuda
Registe-se Iniciar Sessão
AFS
/
xdr-terraform-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Árvore: 0283deb5bf
Ramos Etiquetas
xdr-terraform-m...
/
submodules
/
iam
/
standard_iam_policies
/
policy-mdr_terraformer.tf

policy-mdr_terraformer.tf 3.2 KB
Histórico Em bruto

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980 
  1. #------------------------------------------------------------------------------------------
    2. 

  2. # A variant on PowerUserAccess that isn't so damn generous with sts:assumeRole
    3. 

  3. #------------------------------------------------------------------------------------------
    4. 

  4. data "aws_iam_policy_document" "mdr_terraformer" {
    5. 

  5.   # checkov:skip=CKV_AWS_107: IAM policies does not allow credentials exposure for ECR
    6. 

  6.   # checkov:skip=CKV_AWS_108: no data exfiltration allowed; resource constraints implemented
    7. 

  7.   # checkov:skip=CKV_AWS_109: see tfsec aws-iam-no-policy-wildcard ignore comment
    8. 

  8.   # checkov:skip=CKV_AWS_110: IAM policies does not allow privilege escalation
    9. 

  9.   # checkov:skip=CKV_AWS_111: see tfsec aws-iam-no-policy-wildcard ignore comment
    10. 

  10.   statement {
    11. 

  11.     sid    = "AllowEverythingButAssumeRoleAndPassRole"
    12. 

  12.     effect = "Allow"
    13. 

  13.     not_actions = [
    14. 

  14.       "sts:AssumeRole",
    15. 

  15.       "iam:PassRole",
    16. 

  16.     ]
    17. 

  17.     resources = [
    18. 

  18.       "*"
    19. 

  19.     ]
    20. 

  20.   }
    21. 

  21.   statement {
    22. 

  22.     sid    = "AllowPassRoleForSpecificRoleTypes"
    23. 

  23.     effect = "Allow"
    24. 

  24.     actions = [
    25. 

  25.       "iam:PassRole",
    26. 

  26.     ]
    27. 

  27.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    28. 

  28.     resources = [
    29. 

  29.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/instance/*",
    30. 

  30.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/lambda/*",
    31. 

  31.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/aws_services/*",
    32. 

  32.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/fargate/*",
    33. 

  33.     ]
    34. 

  34.   }
    35. 

  35. 

  36.   statement {
    37. 

  37.     sid    = "AllowPassRoleForLegacyAccountRoles"
    38. 

  38.     effect = "Allow"
    39. 

  39.     actions = [
    40. 

  40.       "iam:PassRole",
    41. 

  41.     ]
    42. 

  42. 

  43.     resources = [
    44. 

  44.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/vault-instance-role",
    45. 

  45.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/splunk-aws-instance-role",
    46. 

  46.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/salt-master-instance-role",
    47. 

  47.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-instance-role",
    48. 

  48.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/portal-data-sync-lambda-role",
    49. 

  49.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/msoc-default-instance-role",
    50. 

  50.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/ecsFargateTaskExecutionRole",
    51. 

  51.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/dlm-lifecycle-role",
    52. 

  52.       "arn:${local.aws_partition}:iam::${local.aws_account}:role/codebuild_role",
    53. 

  53.     ]
    54. 

  54.   }
    55. 

  55. 

  56.   statement {
    57. 

  57.     sid    = "AssumeThisRoleInOtherAccounts"
    58. 

  58.     effect = "Allow"
    59. 

  59.     actions = [
    60. 

  60.       "sts:AssumeRole"
    61. 

  61.     ]
    62. 

  62.     # tfsec:ignore:aws-iam-no-policy-wildcards - baseline this setting first. Lockdown after baselining IAM permissions
    63. 

  63.     resources = [
    64. 

  64.       "arn:${local.aws_partition}:iam::*:role/user/mdr_terraformer",
    65. 

  65. 

  66.       # These two are the legacy roles in the older AWS accounts. 
    67. 

  67.       # Adding them in the hope we'll be able to get AssumeRole from
    68. 

  68.       # one central place to everything...
    69. 

  69.       "arn:${local.aws_partition}:iam::*:role/mdr_powerusers",
    70. 

  70.       "arn:${local.aws_partition}:iam::*:role/mdr_iam_admins",
    71. 

  71.     ]
    72. 

  72.   }
    73. 

  73. }
    74. 

  74. 

  75. resource "aws_iam_policy" "mdr_terraformer" {
    76. 

  76.   name   = "mdr_terraformer"
    77. 

  77.   path   = "/user/"
    78. 

  78.   policy = data.aws_iam_policy_document.mdr_terraformer.json
    79. 

  79. }
    80. 

  80.