Cloudera Community

Support Questions

Find answers, ask questions, and share your expertise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Advanced Search
Solved Go to solution

What is the least privilege access model for AWS IAS roles with Cloudbreak?

Labels:
avatar
author-rank ccasano
Guru

Created ‎05-12-2016 04:15 AM

Many financial and highly regulated institutions use least privilege access models when rolling out software features to end users. With Cloudbreak, what is the least privilege access model that you would have to supply in AWS to make this work? Additionally, how can you ensure that the IAM accounts can manage their own VPC deployment while still ensuring that they can't change configuration for other VPC's using the same account.

1,973 Views
1 ACCEPTED SOLUTION

avatar
author-rank drussell
Guru

Created ‎05-12-2016 07:19 AM

Hi @ccasano There was a post that covers the minimum privilidge set that you require for Cloudbreak on AWS by @lpapp.

https://community.hortonworks.com/questions/30242/list-of-policies-required-by-cloudbreak-to-launch....

As for the intracacies of VPC management, unless anyone here knows, that might be a question better answered by Amazon.

View solution in original post

1,714 Views
4 REPLIES 4

avatar
author-rank drussell
Guru

Created ‎05-12-2016 07:19 AM

Hi @ccasano There was a post that covers the minimum privilidge set that you require for Cloudbreak on AWS by @lpapp.

https://community.hortonworks.com/questions/30242/list-of-policies-required-by-cloudbreak-to-launch....

As for the intracacies of VPC management, unless anyone here knows, that might be a question better answered by Amazon.

1,715 Views

avatar
author-rank ccasano
Guru

Created ‎05-12-2016 12:06 PM

@drussell Thanks. I saw this list too but I'm not sure if it's least access. I can see places where you can create conditions in the policy so that you can only work in a specific VPC, such as:

"Condition": {
                "StringEquals": {
                    "ec2:vpc": "arn:aws:ec2:us-east-1:############:vpc/vpc-XXXXXX"
                }

Or even get really specific on resources. So instead of using "Resource":"*" in the policy, you can get it down to the instances in a certain availability zone. For example: 

"Resource": "arn:aws:ec2:us-east-1::instance/*"

The list of roles are good but the resources and conditions on these roles are just as important. Especially as we discuss with Info Sec team and justify why.

1,714 Views
0 Kudos

avatar
author-rank drussell
Guru

Created ‎05-12-2016 02:12 PM

Hi @ccasano, understood, I don't believe such a list exists right now, unless @lpapp knows differently, or could generate such a list?

1,714 Views
0 Kudos

avatar
author-rank tbihari author-rank
Expert Contributor

Created ‎05-12-2016 01:25 PM

Hi @ccasano,

There was a question about the most strict list of policies that required by Cloudbreak. The necessary events/aws-service could be found in the referenced list.

About 'ensuring that the IAM accounts can manage their own VPC deployment while still ensuring that they can't change configuration for other VPC's using the same account' - there is no such thing built in Cloudbreak, but you can try the following (was not tested):

- create the role with a policy that's restricted to certain resources that follow a naming convention (like *CB-*) and use that naming convention for every cluster you create through Cloudbreak (name your clusters CB-*)

Br,

Tamas

1,714 Views
0 Kudos
Announcements
What's New @ Cloudera
Cloudera Data Engineering 1.23: Access Spark from Your Favor...
What's New @ Cloudera
HBase REST server scaling support is Generally Available
What's New @ Cloudera
New CLI option in the update-database command
What's New @ Cloudera
New Action menu item in the Cloudera Operational Database UI
What's New @ Cloudera
Get the list of supported instance types in the Cloudera Ope...
View More Announcements