Restricting Master IAM Role Permissions in AWS for OCP 4.x

Solution Verified - Updated -

Issue

The permissions assigned by default to the Master IAM Role when deploying and maintaining an OCP 4 cluster in AWS (as seen below), includes two wildcard Allow permissions. One for ec2 and the other for elasticloadbalancing actions.
Granting wildcard permissions can be a security concern as:

  1. It violates the best practice of least privileged
  2. It is possible for additional actions to be added to the current list of permissions and those additional actions will automatically be allowed with the use of a wildcard. This can result in permitting action(s) that should not be allowed.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "ec2:*",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "iam:PassRole",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::*",
            "Effect": "Allow"
        },
        {
            "Action": "elasticloadbalancing:*",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Environment

Red Hat OpenShift Container Platform (OCP) 4.2
Red Hat OpenShift Container Platform (OCP) 4.3
Red Hat OpenShift Container Platform (OCP) 4.4
AWS (Amazon Web Services)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In