Skip to content

Commit

Permalink
Merge pull request #31 from loft-sh/fix/aws_permission_hardening_2
Browse files Browse the repository at this point in the history
fix(security): make stricter rules for AWS instance policy
  • Loading branch information
89luca89 authored May 10, 2024
2 parents 0c18812 + 0c9f12c commit b0e58b5
Showing 1 changed file with 49 additions and 32 deletions.
81 changes: 49 additions & 32 deletions pkg/aws/aws.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ import (
"context"
"encoding/base64"
"fmt"
"net/http"
"regexp"
"sort"
"strings"
Expand All @@ -21,6 +22,22 @@ import (
"github.com/pkg/errors"
)

// detect if we're in an ec2 instance
func isEC2Instance() bool {
client := &http.Client{}
req, err := http.NewRequest("GET", "http://instance-data.ec2.internal", nil)
if err != nil {
return false
}
resp, err := client.Do(req)
if err != nil {
return false
}
defer resp.Body.Close()

return true
}

func NewProvider(ctx context.Context, logs log.Logger) (*AwsProvider, error) {
config, err := options.FromEnv(false)
if err != nil {
Expand All @@ -32,7 +49,9 @@ func NewProvider(ctx context.Context, logs log.Logger) (*AwsProvider, error) {
return nil, err
}

if config.DiskImage == "" {
isEC2 := isEC2Instance()

if config.DiskImage == "" && !isEC2 {
image, err := GetDefaultAMI(ctx, cfg, config.MachineType)
if err != nil {
return nil, err
Expand All @@ -41,7 +60,7 @@ func NewProvider(ctx context.Context, logs log.Logger) (*AwsProvider, error) {
config.DiskImage = image
}

if config.RootDevice == "" {
if config.RootDevice == "" && !isEC2 {
device, err := GetAMIRootDevice(ctx, cfg, config.DiskImage)
if err != nil {
return nil, err
Expand Down Expand Up @@ -288,17 +307,30 @@ func CreateDevpodInstanceProfile(ctx context.Context, provider *AwsProvider) (st

policyInput := &iam.PutRolePolicyInput{
PolicyDocument: aws.String(`{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StopInstances",
],
"Resource": "*"
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Describe",
"Action": [
"ec2:DescribeInstances"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "Stop",
"Action": [
"ec2:StopInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringLike": {
"aws:userid": "*:${ec2:InstanceID}"
}
]
}
}
]
}`),
PolicyName: aws.String("devpod-ec2-policy"),
RoleName: aws.String("devpod-ec2-role"),
Expand All @@ -309,26 +341,6 @@ func CreateDevpodInstanceProfile(ctx context.Context, provider *AwsProvider) (st
return "", err
}

policyInput = &iam.PutRolePolicyInput{
PolicyDocument: aws.String(`{
"Version": "2012-10-17",
"Statement": [
{
"Action": "ec2:*",
"Effect": "Allow",
"Resource": "*"
}
]
}`),
PolicyName: aws.String("EC2Access"),
RoleName: aws.String("devpod-ec2-role"),
}

_, err = svc.PutRolePolicy(ctx, policyInput)
if err != nil {
return "", err
}

instanceProfile := &iam.CreateInstanceProfileInput{
InstanceProfileName: aws.String("devpod-ec2-role"),
}
Expand Down Expand Up @@ -650,6 +662,11 @@ func Create(
MinCount: aws.Int32(1),
MaxCount: aws.Int32(1),
SecurityGroupIds: devpodSG,
MetadataOptions: &types.InstanceMetadataOptionsRequest{
HttpEndpoint: types.InstanceMetadataEndpointStateEnabled,
HttpTokens: types.HttpTokensStateRequired,
HttpPutResponseHopLimit: aws.Int32(1),
},
BlockDeviceMappings: []types.BlockDeviceMapping{
{
DeviceName: aws.String(providerAws.Config.RootDevice),
Expand Down

0 comments on commit b0e58b5

Please sign in to comment.