1

First post, so I apologize in advance if I miss some conventions.

I'm trying to discover the least privilege access required for Foreman/RH Satellite to be able to fully manage an EC2 compute resource with full functionality. So far, I've been successful with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1452211947000",
            "Effect": "Allow",
            "Action": [
                "apigateway:*"
            ],
            "Resource": [
                "arn:aws:apigateway:*::/*"
            ]
        },
        {
            "Sid": "Stmt1452212146000",
            "Effect": "Allow",
            "Action": [
                "execute-api:*"
            ],
            "Resource": [
                "arn:aws:execute-api:*:*:*"
            ]
        },
        {
            "Sid": "Stmt1452212199000",
            "Effect": "Allow",
            "Action": [
                "ec2:*",
                "cloudwatch:*",
                "autoscaling:*",
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

However, I've only done a small amount of testing and there may be restricted permissions for advanced Foreman/Satellite features that I have yet to run across.

So, I have two questions:

  1. Are there any permissions that Foreman/RH Satellite requires to properly and fully manage EC2 resources that are not in this policy?
  2. Is there any part of this policy that is superfluous such that Foreman/Satellite will never use it?

Background, if relevant: We have a RH Satellite server managing a good number of our on-site servers. AWS is rolling in like a freight train because it's a fun buzz word to upper management who have very little understanding and all the control over our entire environment. I've been working on getting EC2 compute resource connectivity set up so that we can manage EC2 instances across several isolated AWS accounts, which means creating an IAM user on each AWS account to access that account's EC2 instances from Satellite. So far we've gotten resistance from our IT Security department because they want to know the least privilege required for that access before they'll give it the OK.

I've scoured documentation for weeks with no success, and my Google-fu has failed me. I also opened a case with Red Hat, and I was disappointed that the only real response I received was, "check these ports on the firewall."

doombird
  • 121
  • 6

0 Answers0