|
|
|
|
|
|
by doug_neumann
1970 days ago
|
|
|
We need read-access to your production environment to survey your infrastructure. Then, depending on the services you're using, we need the ability to backup data, share it with your recovery environment, and cleanup old backups. We make it easy to set this up by giving you a CloudFormation template that includes the roles, policies, etc. Some of the actions we need to perform can't be completely locked down via IAM policies. An example is the ModifySnapshot API that is used to share EBS snapshots with other accounts. IAM policies don't allow you to constrain which accounts those snapshots are shared with, and we don't want to be sharing your data with any account that isn't yours. So, instead of asking for ModifySnapshot permissions directly, we include a Lambda function in the CloudFormation template. This function wraps the ModifySnapshot API, and adds validation of the target account. Our role has Invoke permission for this function, but not of ModifySnapshot, thereby eliminating that exfiltration vector. In the recovery environment, we need more permission to create/modify/destroy the infrastructure that we are managing for you, but we still take a least-privilege approach. We also include a Lambda function in that CloudFormation template to constrain the potentially dangerous APIs. |
|
|