Some of the general internet wisdom™ out there points users in a scary direction: one where it is suggested that the IAM keys used to deploy your EB app have broad access to a bunch of AWS resources. It would be great to give Ember developers guidance as to a very conservative set of permissions needed to create the app initially, and then deploy to specific environments (ideally with a different IAM user given access to deploy to each environment).
Especially for companies that have to deal with PCI SOX compliance, this is absolutely important to get right.
Here's what I believe to be the minimum permissions needed in order to create the app from the eb command line tool. I will add more info as I build more of an AWS-centric CI/CD pipeline out.
{
"Statement": [{
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplication",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:CheckDNSAvailability"
],
"Resource": [
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:application/APP_NAME"
]
}, {
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DescribeEvents"
],
"Resource": [
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:applicationversion/APP_NAME/*"
]
}, {
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateStorageLocation",
"elasticbeanstalk:CheckDNSAvailability"
],
"Resource": [
"*"
]
}, {
"Effect": "Allow",
"Action": [
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"arn:aws:elasticbeanstalk:REGION::solutionstack/*"
]
}, {
"Effect": "Allow",
"Action": [
"s3:GetBucketPolicy",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID",
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/*",
"arn:aws:s3:::elasticbeanstalk-REGION-ACCOUNT_ID/resources/environments/*"
]
}, {
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::FASTBOOT_ASSETS_S3_BUCKET_NAME"
]
}, {
"Effect": "Allow",
"Action": [
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Resource": [
"arn:aws:elasticbeanstalk:REGION:ACCOUNT_ID:environment/APP_NAME/ENVIRONMENT_NAME"
]
}, {
"Effect": "Allow",
"Action": [
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeAccountAttributes"
],
"Resource": [
"*"
]
}, {
"Effect": "Allow",
"Action": [
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStackResource",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplate",
"cloudformation:UpdateStack"
],
"Resource": [
"arn:aws:cloudformation:REGION:ACCOUNT_ID:stack/ENVIRONMENT_ID-stack/*"
]
}, {
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses"
],
"Resource": [
"*"
]
}, {
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*"
],
"Resource": [
"arn:aws:elasticloadbalancing:REGION:ACCOUNT_ID:loadbalancer/*"
]
}, {
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers"
],
"Resource": [
"*"
]
}, {
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:GetObject"
],
"Resource": [
"*"
]
}]
}
Some of the general internet wisdom™ out there points users in a scary direction: one where it is suggested that the IAM keys used to deploy your EB app have broad access to a bunch of AWS resources. It would be great to give Ember developers guidance as to a very conservative set of permissions needed to create the app initially, and then deploy to specific environments (ideally with a different IAM user given access to deploy to each environment).
Especially for companies that have to deal with PCI SOX compliance, this is absolutely important to get right.
Here's what I believe to be the minimum permissions needed in order to create the app from the
ebcommand line tool. I will add more info as I build more of an AWS-centric CI/CD pipeline out.