Hello,
Service IAM Roles in Backup Account requires many IAM and EC2 permissions with a Resource of "*" as the default.
The permissions being called out on a security audit are `iam:PutRolePolicy`, `iam:AttachRolePolicy`, iam:PassRole` and `ec2:RunInstances` as examples.
Is there a way to restrict these permissions to only the VBA_Worker instances? Maybe some other method of narrowing the scope if these rights?
Thank you!
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 30, 2024 5:50 pm
- Full Name: Kent Montgomery
- Contact:
-
- Product Manager
- Posts: 5729
- Liked: 1205 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Service IAM Roles in Backup Account
Hi Kent,
Sorry for the late reply.
We have a list of IAM permissions required in our user guide.
These are the minimum requirements to ensure everything works. Within the product, we also have the option to create dedicated roles for specific features (workloads, workers). Have you tried this already by any chance?
Sorry for the late reply.
We have a list of IAM permissions required in our user guide.
These are the minimum requirements to ensure everything works. Within the product, we also have the option to create dedicated roles for specific features (workloads, workers). Have you tried this already by any chance?
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
-
- Lurker
- Posts: 2
- Liked: never
- Joined: Apr 30, 2024 5:50 pm
- Full Name: Kent Montgomery
- Contact:
Re: Service IAM Roles in Backup Account
Niels,
I had not considered using the dedicated role option and that may help with the privilege restriction.
Thank you for the feedback,
Kent
I had not considered using the dedicated role option and that may help with the privilege restriction.
Thank you for the feedback,
Kent
-
- Product Manager
- Posts: 5729
- Liked: 1205 times
- Joined: Jul 15, 2013 11:09 am
- Full Name: Niels Engelen
- Contact:
Re: Service IAM Roles in Backup Account
No problem. Please let us know if you face any issues or questions.
Thanks!
Thanks!
Personal blog: https://foonet.be
GitHub: https://github.com/nielsengelen
GitHub: https://github.com/nielsengelen
Who is online
Users browsing this forum: No registered users and 11 guests