Limit Pivot Role permissions #491
Assignees
Labels
priority: high
status: not-picked-yet
At the moment we have not picked this item. Anyone can pick it up
type: enhancement
Feature enhacement
Comments
dlpzx
added
type: enhancement
|
This is definitely an issue that we want to tackle. I have added it to the V1.6 board to prioritize it. Thanks for opening the issue |
dlpzx
changed the title
This was referenced Jun 9, 2023
dlpzx
added a commit
that referenced
this issue
Jul 10, 2023
### Feature or Bugfix - Feature ### Detail - Restrict trust policy to backend compute IAM roles only (instead of full root central account) - Restrict KMS permissions to just encrypt/decrypt and list keys - Restrict CloudFormation permissions to describe and deleteStack (remove the need of PassRole) - Restrict Athena to the bare minimum to run preview and worksheets - Restrict EC2 to describe actions only - Remove LakeFormation registering (now in CloudFormation) and Transaction policies (deprecated) - Remove Organisations and tag resources (unused) - Remove Redshift and DataBrew (unused) - Remove StepFunctions, CodePipelines, ECR and Lambda (unused) ### Relates - #491 ### Testing with `dataallPivotRole-cdk` I verified that there are not error logs in CloudWatch for graphql, worker and ecs log-groups - [X] Link environment with pivot_role_auto_create enabled, `dataallPivotRole-cdk` gets created successfully - [X] Get credentials and url from Environment-Teams tab - [X] See CloudFormation resources in stack tab and logs in logs - [X] Import consumption role - [X] Create Dataset - [ ] Import Dataset - there is an issue fixed in #515 - [X] Get credentials and url from Dataset menu - [X] Start crawler - [X] Sync tables - [X] Preview tables - [X] Use Worksheets to query tables - [X] Start profiling job - [X] Create Folder - [X] Share tables and Folders - [X] Revoke tables and folders until completely cleaned up and delete share - [X] Delete dataset - [X] Create Notebook - [X] Start and Stop Notebook - [X] Open Jupyter - [x] Delete Notebook - [X] Create ML Studio user, open ML Studio - [x] Delete ML Studio user - [X] Create pipelines of all types - [X] Get credentials for pipelines - [x] Delete pipelines of all types - [X] Start Quicksight session (GetAuthorSession) - [ ] Import dashboard and see embedded dashboard - we need to look at the reader session authorization issue - check the fix from BT - [X] Share dashboard and see embedded dashboard By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
|
Closing Issue - Implemented in v1.6 Additional fine-tuning in #580 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Attached is the review of enhancements (please check column status) and anything with NeedsFixing is top priority and has to be addressed . CleanupEnhancements are very important as access to unused resources is not good to have .
followed by Good Enhancement. Please let me know if questions. The items marked review are candidates that can be explored for further clean up. What would be good is if you can add version on which issue will be fixed against each item and that will give us clear idea of what to expect.
How to Reproduce
Expected behavior
Pivot role
Your project
No response
Screenshots
IAMRolesandPermissionAnalysis-PivotRoleSheet.xls
OS
All
Python version
3.1
AWS data.all version
v1.3,v1.4,v1.5
Additional context
Having Least privilige is always good. and we request you to minimize the permissions for pivot role so that it follows the principles of least privilege.
The text was updated successfully, but these errors were encountered: