The only down side of this would be any secrets stored in any SSM
Parameter Store locations, but at this point in time I don't think three
are any; historically, people would store secrets into S3 buckets
(probably client-side encrypted, definitely server side encrypted).
These secrets could be locked down to being accessible to only specific
IP ranges, and now to specific VPCs (see VPC Endpoints, specifically S3
Endpoints). Again, I don't think we're doing that.

I was trying a few years ago to have SAML federation, but no one seemed
interested. Hence we have local users, and we've enforced MFA for all.

You'll find there are "Managed Policies' for "read-only", which are
updated as a managed service to reflect read-only as new permissions and
services are added. Note that any DENY policies win, so a combination of
a managed Read Only everything, with DENY on SSM ParameterStore
GetParameters [1] is probably enough.

Not that for IAM itself, you would be able to list API access key IDs,
but never the Access key secrets (These are never re-issued).

I wouldn't go as far as making this visible to people outside of DDs.


|{ "Effect": "Deny", "Action": [ "ssm:GetParameters" ], "Resource":
"/|arn:aws:ssm:*:DIGITSHERE:parameter/*|/" }|

On 10/08/2017 4:44 PM, Bastian Blank wrote:
> Hi
> On Thu, Aug 10, 2017 at 08:28:44AM +0100, kuLa wrote:
>> I'm recently fiddling a lot with permissions on the Debian AWS account and 
>> it's
>> been pointed to me that it's worth considering updating IAM settings a bit.
>> Having above in mind and that DDs are already trusted enough :-) I'm thinking
>> about giving a full RO to all DDs which are having access to the AWS account.
>> What are the people thoughts about this?
> I was the one bringing this up.  In the beginning I just wanted to see
> what real world AWS IAM policies look like and maybe learn a little
> about that permission system.  This would also enable me to provide
> complete patches if modifications are necessary.  
> I started with trying to access this information using the web interface
> and every time a new required permission kept popping up.  The current
> workflow of granting read permissions one by one does not really scale.
> So I asked the question if there are informations and services inside
> this account that are so secret that fellow DD would be not allowed to
> read them.
> Regards,
> Bastian

Reply via email to