Restricting Master IAM Role Permissions in AWS for OCP 4.x
Issue
The permissions assigned by default to the Master IAM Role
when deploying and maintaining an OCP 4 cluster in AWS (as seen below), includes two wildcard Allow
permissions. One for ec2
and the other for elasticloadbalancing
actions.
Granting wildcard permissions can be a security concern as:
- It violates the best practice of least privileged
- It is possible for additional actions to be added to the current list of permissions and those additional actions will automatically be allowed with the use of a wildcard. This can result in permitting action(s) that should not be allowed.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": "iam:PassRole",
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::*",
"Effect": "Allow"
},
{
"Action": "elasticloadbalancing:*",
"Resource": "*",
"Effect": "Allow"
}
]
}
Environment
Red Hat OpenShift Container Platform (OCP) 4.2
Red Hat OpenShift Container Platform (OCP) 4.3
Red Hat OpenShift Container Platform (OCP) 4.4
AWS (Amazon Web Services)
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.