[JIRA] (JENKINS-58037) Insecure IAM policy in documentation

[russ@graphenic.com.au (JIRA)]

Russell Maclean updated an issue

Jenkins / JENKINS-58037 Insecure IAM policy in documentation Change By: Russell Maclean I'm unable to find a way to submit a PR to the documentation of this project. However in the wiki, The advised IAM configuration is highly insecure. It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity. I've provided the corrected policy below. Incorrect policy: {code:java} {     "Sid": "Stmt1452746887376",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/*" } {code} Secure policy: {code:java} // code placeholder {     "Sid": "",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*",     "Condition" : {         "StringEquals" : {             "ecs:cluster": "<your cluster for CI>"     } } } {code}   Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[russ@graphenic.com.au (JIRA)]

Russell Maclean created an issue

Jenkins / JENKINS-58037 Insecure IAM policy in documentation

Issue Type: Improvement Assignee: Unassigned Components: amazon-ecs-plugin Created: 2019-06-17 03:59 Priority: Major Reporter: Russell Maclean

I'm unable to find a way to submit a PR to the documentation of this project. However in the wiki, The advised IAM configuration is highly insecure. It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity. I've provided the corrected policy below. Incorrect policy:

// code placeholder { "Sid": "Stmt1452746887376", "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ], "Effect": "Allow", "Resource": "arn:aws:ecs:<region>:<accountId>:task/*" } Secure policy:

// code placeholder { "Sid": "", "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ], "Effect": "Allow", "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*", "Condition" : { "StringEquals" : { "ecs:cluster": "<your cluster for CI>" } } }

Add Comment

[russ@graphenic.com.au (JIRA)]

Russell Maclean updated an issue

Jenkins / JENKINS-58037 Insecure IAM policy in documentation

Change By: Russell Maclean

I'm unable to find a way to submit a PR to the documentation of this project. However in the wiki, The advised IAM configuration is highly insecure. It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity. I've provided the corrected policy below. Incorrect policy:

{code:java} // code placeholder { code} {

"Sid": "Stmt1452746887376",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/*" } Secure policy:

{code:java}

// code placeholder {     "Sid": "",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*",     "Condition" : {         "StringEquals" : {             "ecs:cluster": "<your cluster for CI>"     } } }

Add Comment

[russ@graphenic.com.au (JIRA)]

Russell Maclean updated an issue

Jenkins / JENKINS-58037 Insecure IAM policy in documentation Change By: Russell Maclean

I'm unable to find a way to submit a PR to the documentation of this project. However in the wiki, The advised IAM configuration is highly insecure. It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity. I've provided the corrected policy below. Incorrect policy: {code:java}

{     "Sid": "Stmt1452746887376",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/*" }

{code} Secure policy: {code:java} // code placeholder

{     "Sid": "",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*",     "Condition" : {         "StringEquals" : {             "ecs:cluster": "<your cluster for CI>"     } } }

{code}

Add Comment

[gregbiles@yahoo.com (JIRA)]

Greg Biles updated an issue

Jenkins / JENKINS-58037 Insecure IAM policy in documentation

Change By: Greg Biles

I'm unable to find a way to submit a PR to the documentation of this project. However in the wiki, The advised IAM configuration is highly insecure. It allows the assigned entity to stop any task on any cluster rather then scoping to a specific environment (cluster) this allows your Jenkins master to stop any ECS container/task , including all your production ones through misconfiguration or nefarious activity. I've provided the corrected policy below. Incorrect policy: {code:java} {     "Sid": "Stmt1452746887376",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/*" } {code} Secure policy:

{code:java}

{     "Sid": "",     "Action": [ "ecs:StopTask", "ecs:DescribeTasks" ],     "Effect": "Allow",     "Resource": "arn:aws:ecs:<region>:<accountId>:task/<constraining further here is also advisable if possible>*",     "Condition" : {         "StringEquals" : {

"ecs:cluster": "<your cluster 's ARN for CI>"     } } } {code}

Add Comment