All geek questions in one place

AWS / IAM policy for managing RDS snapshots?

I am working on a script to automatically get an RDS snapshot every day and give it a name based on the appropriate template (e.g. mydb-snapshot-20141031). The script itself is quite simple, but I ran into problems trying to block them, so if the key pair associated with the script is compromised, the attacker can only damage my snapshots, not the database.

Searching the Internet and viewing the RDS IAM Policy Guide did not help me (at least not that I was able to reproduce it), so I hope someone here solved it earlier (or can understand this guide better than I can ) Here is what I want:

  • Permission to take a snapshot of a database instance named "mydb"
  • Permission to record images matching mydb-snapshot - *
  • Permission to delete pictures matching mydb-snapshot - *

Here is what I am trying to protect against:

  • I do not want this user to be able to interact with any part of AWS outside of RDS
  • I do not want this user to be able to actually modify any of my RDS instances, including "mydb"
  • I do not want this user to be able to modify snapshots that do not match mydb-snapshot - *

Perhaps this cannot be done (I cannot find documentation for the β€œdelete” companion for rds: CreateDBSnapshot policy). It would be nice if the DeleteDBSnapshot documentation actually included a list of permissions required to use it.

+5
source share
1 answer

In the end, I found DeleteDBSnapshot permission, but later I realized that what I really wanted to do was restrict the actions to a specific database instance identifier, which, as I have now seen, is impossible due to how the AWS commands really work. So you should create a policy that looks something like this:

 { "Statement": [ { "Effect": "Allow", "Action": [ "rds:AddTagsToResource", "rds:DeleteDBSnapshot" ], "Condition": { "streq": { "rds:snapshot-tag/MY_TAG_KEY": [ "MY_TAG_VALUE" ] } }, "Resource": "arn:aws:rds:us-west-2::snapshot:mydb-snapshot-*" }, { "Effect": "Allow", "Action": [ "rds:ListTagsForResource", "rds:CreateDBSnapshot" ], "Resource": "arn:aws:rds:us-west-2:*" }, { "Effect": "Allow", "Action": [ "rds:DescribeDBSnapshots" ], "Resource": "*" } ] }

A few notes / disclaimers:

  • For most snapshot commands, the Resource property of the policy is a check against DBSnapshotIdentifier , but for CreateDBSnapshot it refers to DBInstanceIdentifier (RDS database name).
  • DescribeDBSnapshots always works globally, so it must also be provided for all resource values. You can’t even limit it by region.
  • ListTagsForResource throws a permission error if you try to limit it to the entire path of the snapshot resource.
  • You do not need this, but I have included an example Condition for those who wish to additionally (or alternately) limit to tags. Like the Resource restriction, ListTagsForResource and CreateDBSnapshot do not work if you try to restrict them to specific tags.

This solves my main problem of limiting damage if the keys attached to this policy are compromised - an attacker can only delete my rolling snapshots, and not manually created snapshots or database instances themselves. Unfortunately, it still allows you to create an unlimited number of snapshots in a specific area, but there seems to be no restriction on the CreateDBSnapshot restriction.

+5
source

Source: https://habr.com/ru/post/1206039/

More articles:


All Articles