Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Only allow tagging and termination of runner instances #201

Merged
merged 1 commit into from
Sep 14, 2020
Merged

Only allow tagging and termination of runner instances #201

merged 1 commit into from
Sep 14, 2020

Conversation

jpalomaki
Copy link
Contributor

@jpalomaki jpalomaki commented Sep 8, 2020
edited
Loading

Identify the Bug

Scaling lambda IAM roles permit tagging and termination of arbitrary EC2 instances, which is not desirable.

Description of the Change

Harden scaling lambda IAM policies to ensure we can only tag and terminate runner instances by:

  • Scoping ec2:CreateTags to just instance creation
  • Disallowing ec2:DeleteTags (seems to be unused anyways)
  • Allowing ec2:TerminateInstances for only tagged runner instances

Alternate Designs

N/A

Possible Drawbacks

N/A

Verification Process

This was tested by deploying the runner stack to an AWS account, and having the lambdas scale runners up and down, both of which seem to have succeeded without errors (looking at lambda logs and EC2 instance states).

Release Notes

  • Only allow tagging and termination of runner EC2 instances

@jpalomaki jpalomaki changed the title Only allow termination of runner instances Only allow tagging and termination of runner instances Sep 8, 2020
@npalm
Copy link
Member

npalm commented Sep 14, 2020

Looks good, will run a check later this week. Thanks for creating the PR

@npalm npalm self-requested a review September 14, 2020 18:59
npalm
npalm approved these changes Sep 14, 2020
View reviewed changes
Copy link
Member

@npalm npalm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jpalomaki thanks for the improvment

@npalm npalm merged commit 4c08f9f into philips-labs:develop Sep 14, 2020
@jpalomaki jpalomaki deleted the limit-termination-ability branch September 15, 2020 08:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@npalm npalm npalm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jpalomaki @npalm