Elmer Security Updates

With this latest Elmer release we’ve improved security on the AWS account side by reducing the permission scope of the Elmer master IAM role policy and added an alias the Elmer KMS key.

Bearse Master Role Policy

The policy has been restricted to just the actions and resources elmer creates and manages through the elmerchild Cloudformation stack. The policy now looks like:

• SNS publish to notify Elmer of stack actions

  Action:
  - sns:Publish
  Resource:
  - "*"
  

• Cloudformation allow Elmer to modify the elmerchild stack

  Action:
  - cloudformation:UpdateStack
  - cloudformation:DescribeStacks
  - cloudformation:DeleteStack
  Resource:
  - arn:aws:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/iamelmerchild/*
  

• S3 permissions to get the template from a account specific bucket

  Action:
  - s3:GetObject
  - s3:GetObjectTagging
  - s3:ListBucket
  - s3:GetBucketLocation
  Resource:
  - arn:aws:s3:::${S3Bucket}
  

• IAM permissions to manage the Elmer IAM user

  Action:
  - iam:CreateUser
  - iam:DeleteUser
  - iam:GetUser
  - iam:UpdateUser
  - iam:ListAttachedUserPolicies
  - iam:ListUserPolicies
  - iam:PutUserPolicy
  - iam:DeleteUserPolicy
  - iam:DetachUserPolicy
  - iam:ListAttachedUserPolicies
  - iam:GetUserPolicy
  - iam:ListAccessKeys
  - iam:CreateAccessKey
  - iam:DeleteAccessKey
  - iam:UpdateAccessKey
  Resource:
  - arn:aws:iam::${AWS::AccountId}:user/${ElmerIAMUser}
  

• IAM permissions to manage the Elmer IAM roles

  Action:
  - iam:AttachRolePolicy
  - iam:CreateRole
  - iam:DeleteRole
  - iam:DeleteRolePolicy
  - iam:DetachRolePolicy
  - iam:GetRole
  - iam:GetRolePolicy
  - iam:ListAttachedRolePolicies
  - iam:ListRolePolicies
  - iam:PutRolePolicy
  - iam:UpdateAssumeRolePolicy
  - iam:UpdateRole
  - iam:UpdateRoleDescription
  - iam:ListRoles
  Resource:
  - arn:aws:iam::${AWS::AccountId}:role/iamelmer/*
  - arn:aws:iam::${AWS::AccountId}:role/IAMElmer
  

• KMS permissions to encrypt and decrypt and manage the key

  Action:
  - kms:Encrypt 
  - kms:Decrypt 
  - kms:ReEncryptFrom
  - kms:ReEncryptTo
  - kms:GenerateDataKey* 
  - kms:DescribeKey
  - kms:ScheduleKeyDeletion 
  - kms:Create* 
  - kms:DescribeKey
  - kms:Enable* 
  - kms:List* 
  - kms:Put* 
  - kms:Update* 
  - kms:Revoke* 
  - kms:Disable* 
  - kms:Get* 
  - kms:Delete* 
  - kms:ScheduleKeyDeletion 
  - kms:CancelKeyDeletion
  Resource:
  - arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/${KeyId}