Default aws_iam_role_policy is too permissive (feedback is welcome)

[florian0410]

Describe the Feature

The default EC2 instance profile give too many rights to deployed EC2 instance. It should not give any right at start.

Currently, a newly deployed Beanstalk environment attach a default instance profile

terraform-aws-elastic-beanstalk-environment/main.tf

Lines 82 to 86 in 003be6e

	resource "aws_iam_role_policy" "default" {
	name = "${module.this.id}-eb-default"
	role = aws_iam_role.ec2.id
	policy = data.aws_iam_policy_document.extended.json
	}

Which is a merge of extended_ec2_policy_document variable and the default policy document defined in the module.

terraform-aws-elastic-beanstalk-environment/main.tf

Lines 290 to 294 in 003be6e

	data "aws_iam_policy_document" "extended" {
	source_json = data.aws_iam_policy_document.default.json
	override_json = var.extended_ec2_policy_document
	}

The data.aws_iam_policy_document.default is coresponding to the following definition

terraform-aws-elastic-beanstalk-environment/main.tf

Lines 130 to 288 in 003be6e

	data "aws_iam_policy_document" "default" {
	statement {
	actions = [
	"elasticloadbalancing:DescribeInstanceHealth",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticloadbalancing:DescribeTargetHealth",
	"ec2:DescribeInstances",
	"ec2:DescribeInstanceStatus",
	"ec2:GetConsoleOutput",
	"ec2:AssociateAddress",
	"ec2:DescribeAddresses",
	"ec2:DescribeSecurityGroups",
	"sqs:GetQueueAttributes",
	"sqs:GetQueueUrl",
	"autoscaling:DescribeAutoScalingGroups",
	"autoscaling:DescribeAutoScalingInstances",
	"autoscaling:DescribeScalingActivities",
	"autoscaling:DescribeNotificationConfigurations",
	]
	resources = ["*"]
	effect = "Allow"
	}
	statement {
	sid = "AllowOperations"
	actions = [
	"autoscaling:AttachInstances",
	"autoscaling:CreateAutoScalingGroup",
	"autoscaling:CreateLaunchConfiguration",
	"autoscaling:DeleteLaunchConfiguration",
	"autoscaling:DeleteAutoScalingGroup",
	"autoscaling:DeleteScheduledAction",
	"autoscaling:DescribeAccountLimits",
	"autoscaling:DescribeAutoScalingGroups",
	"autoscaling:DescribeAutoScalingInstances",
	"autoscaling:DescribeLaunchConfigurations",
	"autoscaling:DescribeLoadBalancers",
	"autoscaling:DescribeNotificationConfigurations",
	"autoscaling:DescribeScalingActivities",
	"autoscaling:DescribeScheduledActions",
	"autoscaling:DetachInstances",
	"autoscaling:PutScheduledUpdateGroupAction",
	"autoscaling:ResumeProcesses",
	"autoscaling:SetDesiredCapacity",
	"autoscaling:SetInstanceProtection",
	"autoscaling:SuspendProcesses",
	"autoscaling:TerminateInstanceInAutoScalingGroup",
	"autoscaling:UpdateAutoScalingGroup",
	"cloudwatch:PutMetricAlarm",
	"ec2:AssociateAddress",
	"ec2:AllocateAddress",
	"ec2:AuthorizeSecurityGroupEgress",
	"ec2:AuthorizeSecurityGroupIngress",
	"ec2:CreateSecurityGroup",
	"ec2:DeleteSecurityGroup",
	"ec2:DescribeAccountAttributes",
	"ec2:DescribeAddresses",
	"ec2:DescribeImages",
	"ec2:DescribeInstances",
	"ec2:DescribeKeyPairs",
	"ec2:DescribeSecurityGroups",
	"ec2:DescribeSnapshots",
	"ec2:DescribeSubnets",
	"ec2:DescribeVpcs",
	"ec2:DisassociateAddress",
	"ec2:ReleaseAddress",
	"ec2:RevokeSecurityGroupEgress",
	"ec2:RevokeSecurityGroupIngress",
	"ec2:TerminateInstances",
	"ecs:CreateCluster",
	"ecs:DeleteCluster",
	"ecs:DescribeClusters",
	"ecs:RegisterTaskDefinition",
	"elasticbeanstalk:*",
	"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
	"elasticloadbalancing:ConfigureHealthCheck",
	"elasticloadbalancing:CreateLoadBalancer",
	"elasticloadbalancing:DeleteLoadBalancer",
	"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
	"elasticloadbalancing:DescribeInstanceHealth",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticloadbalancing:DescribeTargetHealth",
	"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
	"elasticloadbalancing:DescribeTargetGroups",
	"elasticloadbalancing:RegisterTargets",
	"elasticloadbalancing:DeregisterTargets",
	"iam:ListRoles",
	"iam:PassRole",
	"logs:CreateLogGroup",
	"logs:PutRetentionPolicy",
	"rds:DescribeDBEngineVersions",
	"rds:DescribeDBInstances",
	"rds:DescribeOrderableDBInstanceOptions",
	"s3:GetObject",
	"s3:GetObjectAcl",
	"s3:ListBucket",
	"sns:CreateTopic",
	"sns:GetTopicAttributes",
	"sns:ListSubscriptionsByTopic",
	"sns:Subscribe",
	"sqs:GetQueueAttributes",
	"sqs:GetQueueUrl",
	"codebuild:CreateProject",
	"codebuild:DeleteProject",
	"codebuild:BatchGetBuilds",
	"codebuild:StartBuild",
	]
	resources = ["*"]
	effect = "Allow"
	}
	statement {
	sid = "AllowS3OperationsOnElasticBeanstalkBuckets"
	actions = [
	"s3:*"
	]
	resources = [
	"arn:aws:s3:::*"
	]
	effect = "Allow"
	}
	statement {
	sid = "AllowDeleteCloudwatchLogGroups"
	actions = [
	"logs:DeleteLogGroup"
	]
	resources = [
	"arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk*"
	]
	effect = "Allow"
	}
	statement {
	sid = "AllowCloudformationOperationsOnElasticBeanstalkStacks"
	actions = [
	"cloudformation:*"
	]
	resources = [
	"arn:aws:cloudformation:*:*:stack/awseb-*",
	"arn:aws:cloudformation:*:*:stack/eb-*"
	]
	effect = "Allow"
	}
	}

This policy document is way too permissive and is not required in a first time to ensure elastic beanstalk environment functionnalities.

Expected Behavior

These rights should not be set by default and user may define its own rights using extended_ec2_policy_document.

Since the web_tier, elastic_beanstalk_multi_container_docker and worker_tier are set by default, any depoyed env have enough rights to ensure minimal requirements.

Use Case

We recently deployed multiple environments using this module but we realized recently that each environment that was deployed had access to all S3 bucket thanks to these default rights.

Alternatives Considered

• I was thinking about a feature like those asked in Allow use of existing IAM role for EC2 instance profile #107 Allow use of existing IAM role for EC2 instance profile #113 but since default rights stay in place, it may be a requirement for these 2 requests too.

• I tried to override the rights using extended_ec2_policy_document (using https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document#override_json) but since there is a block with an empty sid, I cannot fully override these. Plus I cannot override rights with an empty policy document.

Additional Context

I didn't found any documentation about default required rights for beanstalk ec2 instance instead those about worker tier multicontainer tiers and webtier (https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-instance.html).

I consider that the tiers rights are the only required to begin and so remove all unwanted default rights.

I'm still testing on my side some elements but it's hard to have a global testing coverage of all beanstalk features. Any feedback is welcome.

Since many users may have started use this module with these default rights, maybe that using a variable to keep these default rights could be a solution. Or add a note in the doc to explain how to keep older default rights using extended_ec2_policy_document.

[VictorCovalski]

Hi @florian0410.

I can't agree with you more on this issue. Until this gets fixed, I've modified my local copy of the module to include an input variable to override the iam instance profile that get's created with this module. Outside the module, I've created an IAM instance profile associated to an IAM Role that has the AWS Elasticbeanstalk webtier managed policy attached to it.

I could make a PR later this week if the maintainers think this is useful.

[florian0410]

Thank you for your answer @VictorCovalski,

Since the maintainers seems to use this module less they don't do many PR but are still available for reviewing and validating these.

So a PR seems to be the best way to propose a fix anyway. I was planning to create one someday but I'm still waiting for my previous one to be validated.

Don't hesitate to ping me if you do a PR for some brainstorming.

Since there are many ways to do, I'm not sure yet if I should go on a variable to specify an external iam_instance_profile as you do or if we should start slowly by having the extended_ec2_policy_document as single entrypoint for setting rights.

[eredinger-ccc]

+1 for this issue, following this for a resolution. I also am creating a local module on my end to fix.

[razorsedge]

See #147 as related.