Support Questions

Find answers, ask questions, and share your expertise

What is the least privilege access model for AWS IAS roles with Cloudbreak?

avatar

Many financial and highly regulated institutions use least privilege access models when rolling out software features to end users. With Cloudbreak, what is the least privilege access model that you would have to supply in AWS to make this work? Additionally, how can you ensure that the IAM accounts can manage their own VPC deployment while still ensuring that they can't change configuration for other VPC's using the same account.

1 ACCEPTED SOLUTION

avatar

Hi @ccasano There was a post that covers the minimum privilidge set that you require for Cloudbreak on AWS by @lpapp.

https://community.hortonworks.com/questions/30242/list-of-policies-required-by-cloudbreak-to-launch....

As for the intracacies of VPC management, unless anyone here knows, that might be a question better answered by Amazon.

View solution in original post

4 REPLIES 4

avatar

Hi @ccasano There was a post that covers the minimum privilidge set that you require for Cloudbreak on AWS by @lpapp.

https://community.hortonworks.com/questions/30242/list-of-policies-required-by-cloudbreak-to-launch....

As for the intracacies of VPC management, unless anyone here knows, that might be a question better answered by Amazon.

avatar

@drussell Thanks. I saw this list too but I'm not sure if it's least access. I can see places where you can create conditions in the policy so that you can only work in a specific VPC, such as:

"Condition": {
                "StringEquals": {
                    "ec2:vpc": "arn:aws:ec2:us-east-1:############:vpc/vpc-XXXXXX"
                }

Or even get really specific on resources. So instead of using "Resource":"*" in the policy, you can get it down to the instances in a certain availability zone. For example:

"Resource": "arn:aws:ec2:us-east-1::instance/*"

The list of roles are good but the resources and conditions on these roles are just as important. Especially as we discuss with Info Sec team and justify why.

avatar

Hi @ccasano, understood, I don't believe such a list exists right now, unless @lpapp knows differently, or could generate such a list?

avatar
Expert Contributor

Hi @ccasano,

There was a question about the most strict list of policies that required by Cloudbreak. The necessary events/aws-service could be found in the referenced list.

About 'ensuring that the IAM accounts can manage their own VPC deployment while still ensuring that they can't change configuration for other VPC's using the same account' - there is no such thing built in Cloudbreak, but you can try the following (was not tested):

- create the role with a policy that's restricted to certain resources that follow a naming convention (like *CB-*) and use that naming convention for every cluster you create through Cloudbreak (name your clusters CB-*)

Br,

Tamas