Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58037

Insecure IAM policy in documentation

XMLWordPrintable

    • Icon: Improvement Improvement
    • Resolution: Unresolved
    • Icon: Major Major
    • amazon-ecs-plugin
    • None

      I'm unable to find a way to submit a PR to the documentation of this project.

      However in the wiki, The advised IAM configuration is highly insecure.

      It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity.

      I've provided the corrected policy below.

      Incorrect policy:

      {
    "Sid": "Stmt1452746887376",
    "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],
    "Effect": "Allow",
    "Resource": "arn:aws:ecs:<region>:<accountId>:task/*"
}

      Secure policy:

      { 
    "Sid": "",
    "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],
    "Effect": "Allow",
    "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*",
    "Condition" : {
        "StringEquals" : {
            "ecs:cluster": "<your cluster's ARN for CI>"
        }
    }
}

       

            Unassigned Unassigned
            russmac Russell Maclean
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: