Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating AWS security policy example #348

Merged
merged 2 commits into from
Nov 3, 2022
Merged

Updating AWS security policy example #348

merged 2 commits into from
Nov 3, 2022

Conversation

Ar-Kan
Copy link

@Ar-Kan Ar-Kan commented Oct 29, 2022
edited
Loading

According to AWS, using a wildcard in the PassRole permission allows the action on multiple resources, what raises a security warning when creating the policy.

Source: Security Warning – Pass role with star in resource.

Therefore, to be extra safe, we should add a condition, to limit its application only on EC2 resources.

In order to test this modification, currently, I use the plugin with the given policy without any issues.

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira (Not appliable)
  • Link to relevant pull requests, esp. upstream and downstream changes (Not appliable)
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue (Not appliable)

@Ar-Kan
Updating security policy
7e3574c 
According to AWS, using a wildcard in the PassRole permission allows the action on multiple resources, what raises a security warning when creating the policy.

Therefore, to be extra safe, we should add a condition, to limit its application only on EC2 resources.
snay2
snay2 suggested changes Nov 3, 2022
View reviewed changes
Copy link

@snay2 snay2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Can you update the description with the following?

  1. Link to the documentation that backs up your first sentence
  2. Testing or verification steps you took to ensure this works

README.md
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since this Condition applies only to iam:PassRole, I recommend we split it out into its own Statement to make the distinction clearer. Whether it works this way or not, having separate Statements for the two kinds of IAM actions will be easier to read.

@Ar-Kan
Copy link
Author

Ar-Kan commented Nov 3, 2022

I updated the PR and the commit ;)

snay2
snay2 approved these changes Nov 3, 2022
View reviewed changes
Copy link

@snay2 snay2 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

pdk27
pdk27 approved these changes Nov 3, 2022
View reviewed changes
Copy link
Collaborator

@pdk27 pdk27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🚀

@pdk27 pdk27 merged commit 8bfcdf4 into jenkinsci:master Nov 3, 2022
@Ar-Kan Ar-Kan deleted the update-aws-security-policy branch March 26, 2023 19:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@snay2 snay2 snay2 approved these changes

@pdk27 pdk27 pdk27 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Ar-Kan @snay2 @pdk27