From 16702898feacfe4f8c5ec323205362d6a0e36a97 Mon Sep 17 00:00:00 2001 From: Daniel Neilson <53624638+ddneilson@users.noreply.github.com> Date: Thu, 6 Aug 2020 23:32:08 -0500 Subject: [PATCH] fix(ecs): Scope-down IAM permissions on Cluster ASG (#9493) This fixes https://github.com/aws/aws-cdk/issues/9492 by down-scoping some IAM permissions granted to the ASG that is created for an ECS cluster, and removing some unneccessary permissions. ### Testing This was tested by deploying a simple app that was basically the sample from the ECS module readme, and verifying that: (a) the cluster is operational (i.e. tasks are running), and (b) those tasks are able to write to logs. The essentials of the app are: ```ts const app = new cdk.App(); const env = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION } const stack = new cdk.Stack(app, 'Testing', { env }); const vpc = new ec2.Vpc(stack, 'Vpc'); // Create an ECS cluster const cluster = new ecs.Cluster(stack, 'Cluster', { vpc, }); // Add capacity to it cluster.addCapacity('DefaultAutoScalingGroupCapacity', { instanceType: new ec2.InstanceType("t2.xlarge"), desiredCapacity: 2, }); const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef'); taskDefinition.addContainer('DefaultContainer', { image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"), memoryLimitMiB: 512, logging: ecs.LogDriver.awsLogs({ logGroup: new logs.LogGroup(stack, 'LogGroup', { logGroupName: '/test-group/', removalPolicy: cdk.RemovalPolicy.DESTROY, retention: logs.RetentionDays.ONE_DAY, }), streamPrefix: 'testing-', }), }); // Instantiate an Amazon ECS Service const ecsService = new ecs.Ec2Service(stack, 'Service', { cluster, taskDefinition, desiredCount: 2, }); ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --- ...on-load-balanced-ecs-service.expected.json | 36 ++++++- ...integ.scheduled-ecs-task.lit.expected.json | 39 +++++-- packages/@aws-cdk/aws-ecs/lib/cluster.ts | 33 +++++- .../integ.app-mesh-proxy-config.expected.json | 36 ++++++- .../test/ec2/integ.clb-host-nw.expected.json | 36 ++++++- .../integ.firelens-s3-config.expected.json | 36 ++++++- .../test/ec2/integ.lb-awsvpc-nw.expected.json | 36 ++++++- .../test/ec2/integ.lb-bridge-nw.expected.json | 36 ++++++- .../test/ec2/integ.sd-awsvpc-nw.expected.json | 36 ++++++- .../test/ec2/integ.sd-bridge-nw.expected.json | 36 ++++++- .../test/ec2/integ.spot-drain.expected.json | 72 +++++++++++-- .../@aws-cdk/aws-ecs/test/test.ecs-cluster.ts | 102 +++++++++++++++--- .../integ.event-ec2-task.lit.expected.json | 36 ++++++- .../test/ecs/integ.ec2-run-task.expected.json | 36 ++++++- .../test/ecs/integ.ec2-task.expected.json | 36 ++++++- 15 files changed, 554 insertions(+), 88 deletions(-) diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.expected.json b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.expected.json index 9af53dfb65b39..8765123f05aa9 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.expected.json +++ b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.multiple-application-load-balanced-ecs-service.expected.json @@ -441,13 +441,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "ClusterEB0386A7", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "ClusterEB0386A7", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json index 7cddaef40ca08..e9cdab87a08f6 100644 --- a/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json +++ b/packages/@aws-cdk/aws-ecs-patterns/test/ec2/integ.scheduled-ecs-task.lit.expected.json @@ -261,21 +261,46 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" ], "Effect": "Allow", "Resource": "*" - } - ], + } ], "Version": "2012-10-17" }, "PolicyName": "EcsClusterDefaultAutoScalingGroupInstanceRoleDefaultPolicy04DC6C80", diff --git a/packages/@aws-cdk/aws-ecs/lib/cluster.ts b/packages/@aws-cdk/aws-ecs/lib/cluster.ts index a16f4410af706..0fff4fd87bd93 100644 --- a/packages/@aws-cdk/aws-ecs/lib/cluster.ts +++ b/packages/@aws-cdk/aws-ecs/lib/cluster.ts @@ -212,16 +212,41 @@ export class Cluster extends Resource implements ICluster { // ECS instances must be able to do these things // Source: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/instance_IAM_role.html + // But, scoped down to minimal permissions required. + // Notes: + // - 'ecs:CreateCluster' removed. The cluster already exists. autoScalingGroup.addToRolePolicy(new iam.PolicyStatement({ actions: [ - 'ecs:CreateCluster', 'ecs:DeregisterContainerInstance', - 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', - 'ecs:StartTelemetrySession', 'ecs:Submit*', + ], + resources: [ + this.clusterArn, + ], + })); + autoScalingGroup.addToRolePolicy(new iam.PolicyStatement({ + actions: [ + // These act on a cluster instance, and the instance doesn't exist until the service starts. + // Thus, scope to the cluster using a condition. + // See: https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazonelasticcontainerservice.html + 'ecs:Poll', + 'ecs:StartTelemetrySession', + ], + resources: ['*'], + conditions: { + ArnEquals: { 'ecs:cluster': this.clusterArn }, + }, + })); + autoScalingGroup.addToRolePolicy(new iam.PolicyStatement({ + actions: [ + // These do not support resource constraints, and must be resource '*' + 'ecs:DiscoverPollEndpoint', 'ecr:GetAuthorizationToken', + // Preserved for backwards compatibility. + // Users are able to enable cloudwatch agent using CDK. Existing + // customers might be installing CW agent as part of user-data so if we + // remove these permissions we will break that customer use cases. 'logs:CreateLogStream', 'logs:PutLogEvents', ], diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.app-mesh-proxy-config.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.app-mesh-proxy-config.expected.json index c644c86649ef6..ec532abc2e2ec 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.app-mesh-proxy-config.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.app-mesh-proxy-config.expected.json @@ -420,13 +420,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.clb-host-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.clb-host-nw.expected.json index edb849319d5b8..124f820c1e376 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.clb-host-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.clb-host-nw.expected.json @@ -441,13 +441,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.firelens-s3-config.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.firelens-s3-config.expected.json index a379d7c8c3109..25eb03aecdefc 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.firelens-s3-config.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.firelens-s3-config.expected.json @@ -420,13 +420,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json index e5e7464767c36..39aed8c584a72 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-awsvpc-nw.expected.json @@ -420,13 +420,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json index 74b289cadbde6..013adf12a5a82 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.lb-bridge-nw.expected.json @@ -441,13 +441,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json index 46f3b9a4e26cf..e67a15948431f 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-awsvpc-nw.expected.json @@ -420,13 +420,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json index 16d9538eb2127..23ad8a29601a6 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.sd-bridge-nw.expected.json @@ -420,13 +420,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/ec2/integ.spot-drain.expected.json b/packages/@aws-cdk/aws-ecs/test/ec2/integ.spot-drain.expected.json index 71a61e7a4a4a7..502fe1508bb78 100644 --- a/packages/@aws-cdk/aws-ecs/test/ec2/integ.spot-drain.expected.json +++ b/packages/@aws-cdk/aws-ecs/test/ec2/integ.spot-drain.expected.json @@ -420,13 +420,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" @@ -866,13 +892,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-ecs/test/test.ecs-cluster.ts b/packages/@aws-cdk/aws-ecs/test/test.ecs-cluster.ts index 02d2594763da5..62ff827cd3c77 100644 --- a/packages/@aws-cdk/aws-ecs/test/test.ecs-cluster.ts +++ b/packages/@aws-cdk/aws-ecs/test/test.ecs-cluster.ts @@ -127,13 +127,39 @@ export = { Statement: [ { Action: [ - 'ecs:CreateCluster', 'ecs:DeregisterContainerInstance', - 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', - 'ecs:StartTelemetrySession', 'ecs:Submit*', + ], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, + }, + { + Action: [ + 'ecs:Poll', + 'ecs:StartTelemetrySession', + ], + Effect: 'Allow', + Resource: '*', + Condition: { + ArnEquals: { + 'ecs:cluster': { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, + }, + }, + }, + { + Action: [ + 'ecs:DiscoverPollEndpoint', 'ecr:GetAuthorizationToken', 'logs:CreateLogStream', 'logs:PutLogEvents', @@ -272,13 +298,39 @@ export = { Statement: [ { Action: [ - 'ecs:CreateCluster', 'ecs:DeregisterContainerInstance', - 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', - 'ecs:StartTelemetrySession', 'ecs:Submit*', + ], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, + }, + { + Action: [ + 'ecs:Poll', + 'ecs:StartTelemetrySession', + ], + Effect: 'Allow', + Resource: '*', + Condition: { + ArnEquals: { + 'ecs:cluster': { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, + }, + }, + }, + { + Action: [ + 'ecs:DiscoverPollEndpoint', 'ecr:GetAuthorizationToken', 'logs:CreateLogStream', 'logs:PutLogEvents', @@ -572,13 +624,39 @@ export = { Statement: [ { Action: [ - 'ecs:CreateCluster', 'ecs:DeregisterContainerInstance', - 'ecs:DiscoverPollEndpoint', - 'ecs:Poll', 'ecs:RegisterContainerInstance', - 'ecs:StartTelemetrySession', 'ecs:Submit*', + ], + Effect: 'Allow', + Resource: { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, + }, + { + Action: [ + 'ecs:Poll', + 'ecs:StartTelemetrySession', + ], + Effect: 'Allow', + Resource: '*', + Condition: { + ArnEquals: { + 'ecs:cluster': { + 'Fn::GetAtt': [ + 'EcsCluster97242B84', + 'Arn', + ], + }, + }, + }, + }, + { + Action: [ + 'ecs:DiscoverPollEndpoint', 'ecr:GetAuthorizationToken', 'logs:CreateLogStream', 'logs:PutLogEvents', diff --git a/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json b/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json index d6af0f21c794a..7d675a2bb2141 100644 --- a/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json +++ b/packages/@aws-cdk/aws-events-targets/test/ecs/integ.event-ec2-task.lit.expected.json @@ -261,13 +261,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "EcsCluster97242B84", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.expected.json index 634506837f8d5..af47fa1516cbd 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-run-task.expected.json @@ -63,13 +63,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "Ec2ClusterEE43E89D", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "Ec2ClusterEE43E89D", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents" diff --git a/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-task.expected.json b/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-task.expected.json index 0a57d22dc1fb6..3493dd636ddb5 100644 --- a/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-task.expected.json +++ b/packages/@aws-cdk/aws-stepfunctions-tasks/test/ecs/integ.ec2-task.expected.json @@ -63,13 +63,39 @@ "Statement": [ { "Action": [ - "ecs:CreateCluster", "ecs:DeregisterContainerInstance", - "ecs:DiscoverPollEndpoint", - "ecs:Poll", "ecs:RegisterContainerInstance", - "ecs:StartTelemetrySession", - "ecs:Submit*", + "ecs:Submit*" + ], + "Effect": "Allow", + "Resource": { + "Fn::GetAtt": [ + "FargateCluster7CCD5F93", + "Arn" + ] + } + }, + { + "Action": [ + "ecs:Poll", + "ecs:StartTelemetrySession" + ], + "Effect": "Allow", + "Resource": "*", + "Condition": { + "ArnEquals": { + "ecs:cluster": { + "Fn::GetAtt": [ + "FargateCluster7CCD5F93", + "Arn" + ] + } + } + } + }, + { + "Action": [ + "ecs:DiscoverPollEndpoint", "ecr:GetAuthorizationToken", "logs:CreateLogStream", "logs:PutLogEvents"