Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a Minimal IAM Role for AWS Deployment #381

Open
4 tasks done
pziemkowski opened this issue Aug 21, 2023 · 0 comments
Open
4 tasks done

Create a Minimal IAM Role for AWS Deployment #381

pziemkowski opened this issue Aug 21, 2023 · 0 comments
Labels
enhancement New feature or request hacktoberfest

Comments

@pziemkowski
Copy link
Member

pziemkowski commented Aug 21, 2023
edited

Description

Create a minimal IAM role that grants the necessary permissions to deploy the SaaS Boilerplate without giving full admin access to the AWS environment.

Currently, deploying the SaaS Boilerplate requires extensive permissions which can lead to potential security risks. To adhere to the principle of least privilege (PoLP), a dedicated IAM role with only the necessary permissions should be established.

Describe the solution you'd like

Requirements

  1. Analyze the AWS services and actions used by the SaaS Boilerplate during deployment and runtime.
  2. In CDK create an IAM policy that grants only the permissions needed for those services and actions.
  3. In CDK attach the policy to a new IAM role, ensuring it has no additional permissions.
  4. Update the deployment instructions in relevant documentation to mention the use of this new IAM role.

Acceptance Criteria:

  1. A user with the new IAM role should be able to deploy the SaaS Boilerplate without any issues.
  2. The IAM role should not have permissions beyond what's necessary for the deployment and operation of the SaaS Boilerplate.
  3. Updated documentation reflects the changes and guides users on using the new IAM role.

Describe alternatives you've considered

No response

Additional context

Potential Challenges:

  • Ensuring all permissions are captured without over-provisioning. Testing thoroughly is crucial.
  • Changes to the SaaS Boilerplate in the future might require additional permissions, which would necessitate updates to the IAM role.

Validations
@pziemkowski pziemkowski added the enhancement New feature or request label Aug 21, 2023
emil-litwiniec added a commit that referenced this issue Apr 19, 2024
@emil-litwiniec
chore: Update Docusuaurus to 3.2.1
e60dc2d 
- fixes prismjs deep dep vulnerabilities #375, #381
emil-litwiniec added a commit that referenced this issue Apr 22, 2024
@emil-litwiniec
chore: pnpm vulnerable deps update (#530)
0f5cb7c 
* chore: Update babel and styled-components

- @babel/traverse dependabot alert #383

* chore: Update Docusuaurus to 3.2.1

- fixes prismjs deep dep vulnerabilities #375, #381

* chore: Update rollup-plugin-node-builtins

- vulnerable dependency browserify-sign sub dep

* chore: Update express to 4.19.2

- fixes malformed URLs vulnerabilities #405

* chore: Update axios to 0.28.1

- fixes dependabot vulnerabilities #396, #398, #400, #401

* chore: Update nodemailer to 6.9.13

- fixes dependabot vulnerability #394

* chore: Update @testing-library/jest-dom to 6.4.2

- partially fixes dependabot @adobe sub dep vulnerability #440
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request hacktoberfest
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mkleszcz @pziemkowski