AWS Account Privileges
Mechanism of Account Access
GorillaStack uses cross-account roles for linking into customer accounts. Cross-account roles are AWS' recommended mechanism for 3rd party access to accounts. Some benefits:
- No need to periodically roll API keys
- Short term sessions
- All control around privileges are in the customer's hands
Scope of Account Access
GorillaStack requires different privileges for different Triggers and Actions. To assist our customers in maintaining their principle of granting least privileges, we added the ability to customize our roles, such that users can generate a role based on the selection of triggers and actions.
Maximal potential privileges
In the interest of being transparent, we will share a mapping of each trigger and action to its required privileges. This gives good context as to what the maximal potential privileges available to GorillaStack could be.
Triggers
| Trigger | Required AWS Privileges |
|---|---|
| Schedule | - |
| Cost Threshold | - |
| Number of Instances Threshold | ec2:DescribeInstances |
| Detached Volumes Detected | ec2:DescribeVolumes |
| Manual Run Only | - |
| Incoming Webhook | - |
| Inbound SNS Push | sns:Subscribe sns:ConfirmSubscription sns:Unsubscribe sns:ListTopics |
Actions
| Action | Required AWS Privileges |
|---|---|
| Copy DB Snapshots | rds:CopyDBSnapshot rds:DescribeDBSnapshots rds:ListTagsForResource rds:ListTagsForResource |
| Copy Snapshots | ec2:DescribeSnapshots ec2:CreateTags ec2:CopySnapshot kms:ListKeys kms:ListAliases |
| Create DB Snapshots | rds:ListTagsForResource rds:CreateDBSnapshot kms:ListKeys kms:ListAliases rds:DescribeDBSnapshots |
| Create Images | ec2:DescribeInstances ec2:DescribeTags ec2:DescribeVolumes ec2:CreateImage ec2:CreateTags ec2:DescribeImages |
| Create Snapshots | ec2:DescribeVolumes ec2:CreateSnapshot ec2:CreateTags ec2:DescribeInstances ec2:DescribeSnapshots |
| Create Vss Snapshots | ec2:DescribeInstances ec2:DescribeVolumes ssm:SendCommand ec2:DescribeSnapshots |
| Delete Detached Volumes | ec2:DeleteVolume ec2:DescribeVolumes |
| Delete Images | ec2:DescribeImages ec2:DeregisterImage |
| Delete Orphaned Snapshots | ec2:DescribeImages ec2:DescribeSnapshots ec2:DeleteSnapshot |
| Delete Snapshots | ec2:DescribeSnapshots ec2:DeleteSnapshot |
| EC2 Run Command (Powershell) | ec2:DescribeInstances ssm:SendCommand |
| EC2 Run Command (Shell) | ec2:DescribeInstances ssm:SendCommand |
| Invoke Named Lambda Function | lambda:InvokeFunction lambda:GetFunction lambda:UpdateFunctionConfiguration lambda:ListFunctions lambda:ListTags |
| Invoke Tagged Lambda Functions | lambda:ListFunctions lambda:GetFunction lambda:UpdateFunctionConfiguration lambda:ListTags lambda:InvokeFunction |
| Notify Cost | cloudwatch:ListMetrics cloudwatch:GetMetricStatistics |
| Notify Instance Count | ec2:DescribeVolumes ec2:DescribeInstances |
| Reboot Instances | ec2:DescribeInstances ec2:RebootInstances ec2:DescribeVolumes |
| Release Disassociated IPs | ec2:ReleaseAddress ec2:DescribeAddresses |
| Start Instances | ec2:DescribeInstances ec2:StartInstances ec2:DescribeVolumes |
| Start RDS Instances | rds:DescribeDBInstances rds:StartDBInstance rds:ListTagsForResource |
| Stop Instances | ec2:DescribeInstances ec2:StopInstances ec2:DescribeVolumes |
| Stop RDS Instances | rds:DescribeDBInstances rds:StopDBInstance rds:ListTagsForResource |
| Update Autoscaling Groups | autoscaling:UpdateAutoScalingGroup autoscaling:DescribeAutoScalingGroups |
| Update DynamoDB Table Throughput | dynamodb:UpdateTable dynamodb:ListTagsOfResource dynamodb:ListTables dynamodb:DescribeTable |
| Update Security Groups | ec2:DescribeSecurityGroups ec2:AuthorizeSecurityGroupEgress ec2:AuthorizeSecurityGroupIngress ec2:RevokeSecurityGroupEgress ec2:RevokeSecurityGroupIngress ec2:UpdateSecurityGroupRuleDescriptionsEgress ec2:UpdateSecurityGroupRuleDescriptionsIngress |