0

Is there an IAM policy that can be created/attached to CodeStarWorker-*-CloudFormation that limits either the Subnets or HostedZoneIds the CodeStar worker can use?

Here's an example template.yml:

Resources:
  # other resources
  DevAlb:
    Properties:
      LoadBalancerAttributes: []
      Name: !Sub '${ProjectId}-dev-alb'
      Scheme: internal
      SecurityGroups:
        - !Ref AlbSecurityGroup
      Subnets:
        - !ImportValue PrivateSubnet1
        - !ImportValue PrivateSubnet2
      Tags:
        - Key: Name
          Value: !Sub '${ProjectId}-dev'
    Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
  DevAlbDns:
    Properties:
      AliasTarget:
        DNSName: !GetAtt 
          - AlbDev
          - DNSName
        HostedZoneId: !GetAtt 
          - AlbDev
          - CanonicalHostedZoneID
      HostedZoneId: !ImportValue InternalDomainDotCom
      Name: !Sub '${ProjectId}.internal-domain.com'
      Type: A
    Type: 'AWS::Route53::RecordSet'

I don't want users with CodeStar access to import/use anything that would allow public internet access (without admin approval, anyway). How can I prevent someone from setting/importing PublicSubnet1 and PublicSubnet2 as one of the Subnets? Or prevent them from setting/import PublicDomainDotCom as the HostedZoneId?

jeffchheng
  • 1
  • 2

1 Answers1

0

I was able to do this by attaching the following policy to CodeStarWorker-app-CloudFormation!

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53:GetHostedZoneCount",
                "route53domains:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:ListResourceRecordSets",
                "apigateway:GET"
            ],
            "Resource": [
                "arn:aws:route53:::hostedzone/REPLACE_WITH_HOSTED_ZONE_ID",
                "arn:aws:apigateway:*::/domainnames"
            ]
        }
    ]
}

This will only allow CodeStar's CloudFormation role to create a Route 53 record set in the hosted zone ID an admin has allowed.

I'm sure there are other ways to protect your infrastructure and data from bad actors with CodeStar roles. Feel free to share if you have any ideas (e.g., limiting EC2 VPCs/Subnets).

jeffchheng
  • 1
  • 2