From 0d5e050a5d9554d6a65c7cc0d6c8eb236d7b606e Mon Sep 17 00:00:00 2001 From: Sherif Soliman Date: Tue, 28 May 2024 16:48:30 -0700 Subject: [PATCH 1/2] Add more IAM Actions based on needs for aibs-informatics-workflows. --- .../common/aws/iam_utils.py | 79 +++++++++++++++++++ 1 file changed, 79 insertions(+) diff --git a/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py b/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py index 51452f9..69a5eea 100644 --- a/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py +++ b/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py @@ -1,3 +1,9 @@ +""" +The list of actions for each service is incomplete and based on our needs so far. +A helpful resource to research actions is: +https://www.awsiamactions.io/ +""" + from typing import List, Optional, Union from aibs_informatics_core.env import EnvBase @@ -25,6 +31,25 @@ "batch:*", ] +CLOUDWATCH_READ_ACTIONS = [ + "logs:GetLogEvents", + "logs:GetLogRecord", + "logs:GetLogGroupFields", + "logs:GetQueryResults", + "logs:DescribeLogGroups", +] + +CLOUDWATCH_WRITE_ACTIONS = [ + "logs:CreateLogStream", + "logs:CreateLogGroup", + "logs:PutLogEvents", +] + +CLOUDWATCH_FULL_ACCESS_ACTIONS = [ + *CLOUDWATCH_READ_ACTIONS, + *CLOUDWATCH_WRITE_ACTIONS, +] + DYNAMODB_READ_ACTIONS = [ "dynamodb:BatchGet*", "dynamodb:DescribeStream", @@ -50,6 +75,26 @@ EC2_ACTIONS = ["ec2:DescribeAvailabilityZones"] +ECS_READ_ACTIONS = [ + "ecs:DescribeTaskDefinition", + "ecs:ListTasks", + "ecs:DescribeTasks", +] + +ECS_WRITE_ACTIONS = [ + "ecs:RegisterTaskDefinition", +] + +ECS_RUN_ACTIONS = [ + "ecs:RunTask", +] + +ECS_FULL_ACCESS_ACTIONS = [ + *ECS_READ_ACTIONS, + *ECS_WRITE_ACTIONS, + *ECS_RUN_ACTIONS, +] + ECR_READ_ACTIONS = [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", @@ -78,6 +123,23 @@ "ecr:UntagResource", ] + +KMS_READ_ACTIONS = [ + "kms:Decrypt", + "kms:DescribeKey", +] + +KMS_WRITE_ACTIONS = [ + "kms:GenerateDataKey*", + "kms:Encrypt", + "kms:PutKeyPolicy", +] + +KMS_FULL_ACCESS_ACTIONS = [ + *KMS_READ_ACTIONS, + *KMS_WRITE_ACTIONS, +] + ECR_FULL_ACCESS_ACTIONS = [*ECR_READ_ACTIONS, *ECR_WRITE_ACTIONS, *ECR_TAGGING_ACTIONS] ECS_READ_ACTIONS = ["ecs:DescribeContainerInstances"] @@ -122,6 +184,23 @@ SNS_FULL_ACCESS_ACTIONS = ["sns:*"] +SQS_READ_ACTIONS = [ + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ReceiveMessage", + "sqs:SendMessage", +] + +SQS_WRITE_ACTIONS = [ + "sqs:ChangeMessageVisibility", + "sqs:DeleteMessage", +] + +SQS_FULL_ACCESS_ACTIONS = [ + *SQS_READ_ACTIONS, + *SQS_WRITE_ACTIONS, +] + SSM_READ_ACTIONS = [ "ssm:GetParameter", "ssm:GetParameters", From 8b8e1141dd97823d7c0cb976cc34849fbfc97f84 Mon Sep 17 00:00:00 2001 From: Sherif Soliman Date: Tue, 28 May 2024 17:28:43 -0700 Subject: [PATCH 2/2] Alphabetize policy actions and improve organization. --- .../common/aws/iam_utils.py | 92 +++++++++++-------- 1 file changed, 54 insertions(+), 38 deletions(-) diff --git a/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py b/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py index 69a5eea..90b3bea 100644 --- a/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py +++ b/src/aibs_informatics_cdk_lib/common/aws/iam_utils.py @@ -18,6 +18,28 @@ build_sfn_arn, ) +# +# utils +# + + +def grant_managed_policies( + role: Optional[iam.IRole], + *managed_policies: Union[str, iam.ManagedPolicy], +): + if not role: + return + + for mp in managed_policies: + role.add_managed_policy( + iam.ManagedPolicy.from_aws_managed_policy_name(mp) if isinstance(mp, str) else mp + ) + + +# +# policy action lists +# + BATCH_READ_ONLY_ACTIONS = [ "batch:Describe*", "batch:List*", @@ -32,16 +54,16 @@ ] CLOUDWATCH_READ_ACTIONS = [ + "logs:DescribeLogGroups", "logs:GetLogEvents", - "logs:GetLogRecord", "logs:GetLogGroupFields", + "logs:GetLogRecord", "logs:GetQueryResults", - "logs:DescribeLogGroups", ] CLOUDWATCH_WRITE_ACTIONS = [ - "logs:CreateLogStream", "logs:CreateLogGroup", + "logs:CreateLogStream", "logs:PutLogEvents", ] @@ -76,9 +98,10 @@ EC2_ACTIONS = ["ec2:DescribeAvailabilityZones"] ECS_READ_ACTIONS = [ + "ecs:DescribeContainerInstances", "ecs:DescribeTaskDefinition", - "ecs:ListTasks", "ecs:DescribeTasks", + "ecs:ListTasks", ] ECS_WRITE_ACTIONS = [ @@ -96,26 +119,26 @@ ] ECR_READ_ACTIONS = [ - "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:DescribeImageScanFindings", + "ecr:DescribeImages", + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", "ecr:ListImages", - "ecr:DescribeImages", - "ecr:BatchGetImage", "ecr:ListTagsForResource", - "ecr:DescribeImageScanFindings", ] ECR_WRITE_ACTIONS = [ + "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:DeleteRepository", "ecr:InitiateLayerUpload", - "ecr:UploadLayerPart", - "ecr:CompleteLayerUpload", "ecr:PutImage", "ecr:PutLifecyclePolicy", + "ecr:UploadLayerPart", ] ECR_TAGGING_ACTIONS = [ @@ -123,6 +146,11 @@ "ecr:UntagResource", ] +ECR_FULL_ACCESS_ACTIONS = [ + *ECR_READ_ACTIONS, + *ECR_TAGGING_ACTIONS, + *ECR_WRITE_ACTIONS, +] KMS_READ_ACTIONS = [ "kms:Decrypt", @@ -130,8 +158,8 @@ ] KMS_WRITE_ACTIONS = [ - "kms:GenerateDataKey*", "kms:Encrypt", + "kms:GenerateDataKey*", "kms:PutKeyPolicy", ] @@ -140,23 +168,11 @@ *KMS_WRITE_ACTIONS, ] -ECR_FULL_ACCESS_ACTIONS = [*ECR_READ_ACTIONS, *ECR_WRITE_ACTIONS, *ECR_TAGGING_ACTIONS] - -ECS_READ_ACTIONS = ["ecs:DescribeContainerInstances"] - - -CODE_BUILD_IAM_POLICY = iam.PolicyStatement( - actions=[ - *EC2_ACTIONS, - *ECR_FULL_ACCESS_ACTIONS, - ], - resources=["*"], -) - LAMBDA_FULL_ACCESS_ACTIONS = ["lambda:*"] S3_FULL_ACCESS_ACTIONS = ["s3:*"] + S3_READ_ONLY_ACCESS_ACTIONS = [ "s3:Get*", "s3:List*", @@ -208,6 +224,19 @@ ] +# +# policy statement constants and builders +# + +CODE_BUILD_IAM_POLICY = iam.PolicyStatement( + actions=[ + *EC2_ACTIONS, + *ECR_FULL_ACCESS_ACTIONS, + ], + resources=["*"], +) + + def batch_policy_statement( env_base: Optional[EnvBase] = None, actions: List[str] = BATCH_FULL_ACCESS_ACTIONS, @@ -374,16 +403,3 @@ def ssm_policy_statement( return iam.PolicyStatement( sid=sid, actions=actions, effect=iam.Effect.ALLOW, resources=[build_arn(service="ssm")] ) - - -def grant_managed_policies( - role: Optional[iam.IRole], - *managed_policies: Union[str, iam.ManagedPolicy], -): - if not role: - return - - for mp in managed_policies: - role.add_managed_policy( - iam.ManagedPolicy.from_aws_managed_policy_name(mp) if isinstance(mp, str) else mp - )