🔥🚧IAM Policy Clear Up #254
timburke-hackit
started this conversation in
Firebreak April 24
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
🌵What is the problem or issue we're trying to address?
IAM policy documents are spread all across the repository making it difficult to reuse existing resources.
🎯How is this affecting producers, consumers or platform engineers?
Producers find it difficult to know which policies to attach to an IAM role and often resort to creating bespoke policy documents for every new task.
Platform Engineers face the same issue, but also experience difficulty in managing where various IAM resources are created and how they are maintained. They also need to create and troubleshoot bespoke policies for many tasks consumers want to create when this could be made simple enough that they could do this themselves and PEs would only need to review through raised PRs.
📝What is the proposed task?
Create a new terraform file for some commonly used IAM policy data sources that can be referenced e.g.
Subsequently a significant tidy up of the existing resources in the repo.
I am not proposing more generic roles that are reused, but that new and existing roles should reuse policies as much as possible with limited use of ad-hoc policies where necessary. This will massively reduce the number of policies in the account making it easier to know what a role can do.
For example, Lambdas should still have a role that is specific to the permissions that Lambda needs - maintaining a principle of least privilege, but two lambdas that need access to a departments s3 paths should have the same policy attached.
🤔How might this work be carried out?
I'm envisioning something similar to how permissions are managed in this repo.
https://github.com/LBHackney-IT/aws-permission-management
Let's be honest, it's a bit of menial task. I think it's probably best to define a bunch of policies, create them. Then in separate PRs replace the attachments for existing roles.
Some of this might be streamlined a bit by [I'll insert the Discussion about the AWS Lambda Module here]
⌛How urgent is this work?
It's not particularly, but completing this would significantly reduce the overhead on platform engineers having to create roles / policies every time producers need one.
It should also make it much simpler for consumer to self-serve IAM role creation
💪How much effort do you think this will take?
I'll come back to this
🛠️What skills are needed?
Terraform
AWS
📃Additional Info:
No response
Beta Was this translation helpful? Give feedback.
All reactions