AWS msk documentation change
Summary
Updated IAM policy example to use granular permissions instead of wildcards, added specific resource ARNs, restructured policy statements with explicit SIDs, and expanded required actions for MSK Connect components
Security assessment
The change implements least privilege by replacing wildcard permissions with specific actions and resource ARNs, which improves security posture but does not address a specific disclosed vulnerability
Diff
diff --git a/msk/latest/developerguide/mkc-iam-policy-examples.md b/msk/latest/developerguide/mkc-iam-policy-examples.md index c6ef2a6fa..1b82491f2 100644 --- a//msk/latest/developerguide/mkc-iam-policy-examples.md +++ b//msk/latest/developerguide/mkc-iam-policy-examples.md @@ -5 +5 @@ -# Examples of IAM policies for MSK Connect +# Example of IAM policy for MSK Connect @@ -13,0 +14 @@ To give a non-admin user full access to all MSK Connect functionality, attach a + "Sid": "MSKConnectFullAccess", @@ -16,12 +17,16 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "kafkaconnect:*", - "ec2:CreateNetworkInterface", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:DescribeSecurityGroups", - "logs:CreateLogDelivery", - "logs:GetLogDelivery", - "logs:DeleteLogDelivery", - "logs:ListLogDeliveries", - "logs:PutResourcePolicy", - "logs:DescribeResourcePolicies", - "logs:DescribeLogGroups" + "kafkaconnect:CreateConnector", + "kafkaconnect:DeleteConnector", + "kafkaconnect:DescribeConnector", + "kafkaconnect:GetConnector", + "kafkaconnect:ListConnectors", + "kafkaconnect:UpdateConnector", + "kafkaconnect:CreateCustomPlugin", + "kafkaconnect:DeleteCustomPlugin", + "kafkaconnect:DescribeCustomPlugin", + "kafkaconnect:GetCustomPlugin", + "kafkaconnect:ListCustomPlugins", + "kafkaconnect:CreateWorkerConfiguration", + "kafkaconnect:DeleteWorkerConfiguration", + "kafkaconnect:DescribeWorkerConfiguration", + "kafkaconnect:GetWorkerConfiguration", + "kafkaconnect:ListWorkerConfigurations" @@ -29 +34,5 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "Resource": "*" + "Resource": [ + "arn:aws:kafkaconnect:us-east-1:123456789012:connector/*", + "arn:aws:kafkaconnect:us-east-1:123456789012:custom-plugin/myCustomPlugin/", + "arn:aws:kafkaconnect:us-east-1:123456789012:worker-configuration/myWorkerConfig/" + ] @@ -31,0 +41 @@ To give a non-admin user full access to all MSK Connect functionality, attach a + "Sid": "IAMPassRole", @@ -33,2 +43,2 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::123456789012:role/MSKConnectServiceRole", @@ -36,2 +46,2 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "StringLike": { - "iam:AWSServiceName": "kafkaconnect.amazonaws.com" + "StringEquals": { + "iam:PassedToService": "kafkaconnect.amazonaws.com" @@ -41,0 +52 @@ To give a non-admin user full access to all MSK Connect functionality, attach a + "Sid": "EC2NetworkAccess", @@ -44,2 +55,6 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "iam:AttachRolePolicy", - "iam:PutRolePolicy" + "ec2:CreateNetworkInterface", + "ec2:DescribeNetworkInterfaces", + "ec2:DeleteNetworkInterface", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups" @@ -47,11 +62 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "Resource": "arn:aws:iam::*:role/aws-service-role/kafkaconnect.amazonaws.com/AWSServiceRoleForKafkaConnect*" - }, - { - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/delivery.logs.amazonaws.com/AWSServiceRoleForLogDelivery*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "delivery.logs.amazonaws.com" - } - } + "Resource": "*" @@ -59,0 +65 @@ To give a non-admin user full access to all MSK Connect functionality, attach a + "Sid": "MSKClusterAccess", @@ -62,2 +68,3 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "s3:PutBucketPolicy", - "s3:GetBucketPolicy" + "kafka:DescribeCluster", + "kafka:DescribeClusterV2", + "kafka:GetBootstrapBrokers" @@ -65,6 +72 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "Resource": "ARN of the Amazon S3 bucket to which you want MSK Connect to deliver logs" - }, - { - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "ARN of the service execution role" + "Resource": "arn:aws:kafkaconnect:us-east-1:123456789012:cluster/myCluster/" @@ -72,0 +75 @@ To give a non-admin user full access to all MSK Connect functionality, attach a + "Sid": "MSKLogGroupAccess", @@ -74,2 +77,10 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "Action": "s3:GetObject", - "Resource": "ARN of the Amazon S3 object that corresponds to the custom plugin that you want to use for creating connectors" + "Action": [ + "logs:CreateLogGroup", + "logs:CreateLogStream", + "logs:PutLogEvents", + "logs:DescribeLogStreams", + "logs:DescribeLogGroups" + ], + "Resource": [ + "arn:aws:logs:us-east-1:123456789012:log-group:/aws/msk-connect/*" + ] @@ -77,0 +89 @@ To give a non-admin user full access to all MSK Connect functionality, attach a + "Sid": "S3PluginAccess", @@ -79,2 +91,9 @@ To give a non-admin user full access to all MSK Connect functionality, attach a - "Action": "firehose:TagDeliveryStream", - "Resource": "ARN of the Firehose delivery stream to which you want MSK Connect to deliver logs" + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutObject" + ], + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket1-custom-plugins", + "arn:aws:s3:::amzn-s3-demo-bucket1-custom-plugins/*" + ]