[ecs] Over-broad IAM permissions on ECS Cluster drain lambda #9501
Labels
Comments
ddneilson
added
bug
mergify bot
pushed a commit
that referenced
this issue
Aug 7, 2020
Fixes #9501 ### Testing This was tested by deploying a simple app that was basically the sample from the ECS module readme, and then manually killing off instances from the ECS cluster's ASG. When I killed off an instance I then verified, from the lambda logs, that the task-draining lambda was able to complete its work with no errors. The essentials of the app are: ```ts const app = new cdk.App(); const env = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION } const stack = new cdk.Stack(app, 'Testing', { env }); const vpc = new ec2.Vpc(stack, 'Vpc'); // Create an ECS cluster const cluster = new ecs.Cluster(stack, 'Cluster', { vpc, }); // Add capacity to it cluster.addCapacity('DefaultAutoScalingGroupCapacity', { instanceType: new ec2.InstanceType("t2.xlarge"), desiredCapacity: 2, }); const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef'); taskDefinition.addContainer('DefaultContainer', { image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"), memoryLimitMiB: 512, logging: ecs.LogDriver.awsLogs({ logGroup: new logs.LogGroup(stack, 'LogGroup', { logGroupName: '/test-group/', removalPolicy: cdk.RemovalPolicy.DESTROY, retention: logs.RetentionDays.ONE_DAY, }), streamPrefix: 'testing-', }), }); // Instantiate an Amazon ECS Service const ecsService = new ecs.Ec2Service(stack, 'Service', { cluster, taskDefinition, desiredCount: 2, }); ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
eladb
pushed a commit
that referenced
this issue
Aug 10, 2020
Fixes #9501 ### Testing This was tested by deploying a simple app that was basically the sample from the ECS module readme, and then manually killing off instances from the ECS cluster's ASG. When I killed off an instance I then verified, from the lambda logs, that the task-draining lambda was able to complete its work with no errors. The essentials of the app are: ```ts const app = new cdk.App(); const env = { account: process.env.CDK_DEFAULT_ACCOUNT, region: process.env.CDK_DEFAULT_REGION } const stack = new cdk.Stack(app, 'Testing', { env }); const vpc = new ec2.Vpc(stack, 'Vpc'); // Create an ECS cluster const cluster = new ecs.Cluster(stack, 'Cluster', { vpc, }); // Add capacity to it cluster.addCapacity('DefaultAutoScalingGroupCapacity', { instanceType: new ec2.InstanceType("t2.xlarge"), desiredCapacity: 2, }); const taskDefinition = new ecs.Ec2TaskDefinition(stack, 'TaskDef'); taskDefinition.addContainer('DefaultContainer', { image: ecs.ContainerImage.fromRegistry("amazon/amazon-ecs-sample"), memoryLimitMiB: 512, logging: ecs.LogDriver.awsLogs({ logGroup: new logs.LogGroup(stack, 'LogGroup', { logGroupName: '/test-group/', removalPolicy: cdk.RemovalPolicy.DESTROY, retention: logs.RetentionDays.ONE_DAY, }), streamPrefix: 'testing-', }), }); // Instantiate an Amazon ECS Service const ecsService = new ecs.Ec2Service(stack, 'Service', { cluster, taskDefinition, desiredCount: 2, }); ``` ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The task-draining lambda that is created for ECS clusters currently has over-broad permissions found here.
Reproduction Steps
Create ECS cluster with any capacity & task.
What did you expect to happen?
IAM Permissions that adhere to the principle of least privilege.
What actually happened?
Broad permissions
Environment
Other
Some specifics:
ecs:clustercondition. So, these can be trivially down-scoped without affecting functionality by applying that condition.I have a PR ready to roll on this, and will be posting it momentarily.
This is 🐛 Bug Report
The text was updated successfully, but these errors were encountered: