From e764a5b0884ced89e880299dc48ec7b3941cf790 Mon Sep 17 00:00:00 2001 From: Ken Brewer Date: Thu, 18 Sep 2025 14:50:23 -0700 Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20improve=20AWS=20Cloud=20IAM=20po?= =?UTF-8?q?licy=20security=20by=20restricting=20resource=20scopes?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Scope IAM roles and instance profiles to TowerForge* prefix - Add resource-level restrictions for EC2 operations - Split launch policy into granular statements with conditions - Restrict instance operations to TowerForge-* tagged resources 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- platform-cloud/docs/compute-envs/aws-cloud.md | 63 ++++++++++++++++--- 1 file changed, 55 insertions(+), 8 deletions(-) diff --git a/platform-cloud/docs/compute-envs/aws-cloud.md b/platform-cloud/docs/compute-envs/aws-cloud.md index 65a80a5a9..478a357e2 100644 --- a/platform-cloud/docs/compute-envs/aws-cloud.md +++ b/platform-cloud/docs/compute-envs/aws-cloud.md @@ -70,11 +70,21 @@ The following permissions are required to provision resources in the AWS account "iam:CreateInstanceProfile", "iam:AttachRolePolicy", "iam:PutRolePolicy", - "iam:PassRole", "iam:TagRole", "iam:TagInstanceProfile" ], - "Resource": "*" + "Resource": [ + "arn:aws:iam::*:role/TowerForge*", + "arn:aws:iam::*:instance-profile/TowerForge*" + ] + }, + { + "Sid": "AwsCloudCreatePassRole", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": "arn:aws:iam::*:role/TowerForge*" } ] } @@ -111,15 +121,49 @@ The following permissions are required to launch pipelines, run Studio sessions, "Version": "2012-10-17", "Statement": [ { - "Sid": "AwsCloudLaunch", + "Sid": "AwsCloudLaunchEC2", "Effect": "Allow", "Action": [ "ec2:RunInstances", - "ec2:DescribeInstances", "ec2:CreateTags", - "ec2:TerminateInstances", - "ec2:DeleteTags", - "logs:GetLogEvents", + "ec2:DeleteTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*:*:image/*" + ] + }, + { + "Sid": "AwsCloudLaunchInstances", + "Effect": "Allow", + "Action": [ + "ec2:DescribeInstances", + "ec2:TerminateInstances" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/Name": "TowerForge-*" + } + } + }, + { + "Sid": "AwsCloudLaunchLogs", + "Effect": "Allow", + "Action": [ + "logs:GetLogEvents" + ], + "Resource": "arn:aws:logs:*:*:log-group:*:log-stream:*" + }, + { + "Sid": "AwsCloudLaunchS3", + "Effect": "Allow", + "Action": [ "s3:GetObject" ], "Resource": "*" @@ -149,7 +193,10 @@ The following permissions are required to remove resources created by Seqera whe "iam:DetachRolePolicy", "iam:DeleteRolePolicy" ], - "Resource": "*" + "Resource": [ + "arn:aws:iam::*:role/TowerForge*", + "arn:aws:iam::*:instance-profile/TowerForge*" + ] } ] }