Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58037

Insecure IAM policy in documentation

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I'm unable to find a way to submit a PR to the documentation of this project.

      However in the wiki, The advised IAM configuration is highly insecure.

      It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity.

      I've provided the corrected policy below.

      Incorrect policy:

      {
          "Sid": "Stmt1452746887376",
          "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],
          "Effect": "Allow",
          "Resource": "arn:aws:ecs:<region>:<accountId>:task/*"
      }
      

      Secure policy:

      { 
          "Sid": "",
          "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],
          "Effect": "Allow",
          "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*",
          "Condition" : {
              "StringEquals" : {
                  "ecs:cluster": "<your cluster's ARN for CI>"
              }
          }
      }
      

       

        Attachments

          Activity

          There are no comments yet on this issue.

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            russmac Russell Maclean
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: