AWS omics documentation change
Summary
Reorganized sections to prioritize Amazon ECR permissions, added detailed steps for configuring ECR resource policies, and expanded cross-account workflow documentation
Security assessment
The changes add explicit documentation about configuring Amazon ECR resource policies and cross-account access controls, which are security-related configurations. However, there is no evidence this addresses a specific existing security vulnerability.
Diff
diff --git a/omics/latest/dev/permissions-resource.md b/omics/latest/dev/permissions-resource.md index 50087c9c5..664714c64 100644 --- a//omics/latest/dev/permissions-resource.md +++ b//omics/latest/dev/permissions-resource.md @@ -5 +5 @@ -Lake Formation permissionsAmazon ECR permissions +Amazon ECR permissionsLake Formation permissions @@ -12,0 +13,2 @@ AWS HealthOmics creates and accesses resources in other services on your behalf + * Amazon ECR permissions + @@ -15 +16,0 @@ AWS HealthOmics creates and accesses resources in other services on your behalf - * Amazon ECR permissions @@ -18,0 +20 @@ AWS HealthOmics creates and accesses resources in other services on your behalf +## Amazon ECR permissions @@ -20 +22 @@ AWS HealthOmics creates and accesses resources in other services on your behalf -## Lake Formation permissions +Before the HealthOmics service can run a workflow in a container from your private Amazon ECR repository, you create a resource policy for the container. The policy grants permission for the HealthOmics service to use the container. You add this resource policy to each private repository referenced by the workflow. @@ -22 +24 @@ AWS HealthOmics creates and accesses resources in other services on your behalf -Before you use analytics features in HealthOmics, configure default database settings in Lake Formation. +###### Note @@ -24 +26 @@ Before you use analytics features in HealthOmics, configure default database set -###### To configure resource permissions in Lake Formation +The private repository and the workflow must be in the same region. @@ -26 +28 @@ Before you use analytics features in HealthOmics, configure default database set - 1. Open the [Data catalog settings](https://console.aws.amazon.com/lakeformation/home#default-permission-settings) page in the Lake Formation console. +The following sections describe the required policy configurations. @@ -28 +30 @@ Before you use analytics features in HealthOmics, configure default database set - 2. Uncheck the IAM access control requirements for databases and tables under **Default permissions for newly created databases and tables**. +###### Topics @@ -30 +32 @@ Before you use analytics features in HealthOmics, configure default database set - 3. Choose **Save**. + * Create a resource policy for the Amazon ECR repository @@ -31,0 +34 @@ Before you use analytics features in HealthOmics, configure default database set + * Running workflows with cross-account containers @@ -32,0 +36 @@ Before you use analytics features in HealthOmics, configure default database set + * Amazon ECR repository policies for shared workflows @@ -35 +38,0 @@ Before you use analytics features in HealthOmics, configure default database set -HealthOmics Analytics auto accepts data if your service policy has the correct RAM permissions, such as the following example. @@ -37,0 +41,16 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R +### Create a resource policy for the Amazon ECR repository + +Create a resource policy to allow the HealthOmics service to run a workflow using a container in the repository. The policy grants permission for the HealthOmics service principal to access the required Amazon ECR actions. + +Follow these steps to create the policy: + + 1. Open the [private repositories](https://console.aws.amazon.com/ecr/repositories) page in the Amazon ECR console and select the repository you're granting access to. + + 2. From the side bar navigation, select **Permissions**. + + 3. Choose **Edit JSON**. + + 4. Choose **Add Statement**. + + 5. Add the following policy statement and then select **Save Policy**. + @@ -41,0 +61 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R + "Sid": "omics workflow access", @@ -43,4 +63,2 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R - "Action": [ - "omics:*" - ], - "Resource": "*" + "Principal": { + "Service": "omics.amazonaws.com" @@ -48,2 +65,0 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R - { - "Effect": "Allow", @@ -51,4 +67,4 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R - "ram:AcceptResourceShareInvitation", - "ram:GetResourceShareInvitations" - ], - "Resource": "*" + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability" + ] @@ -59 +74,0 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R -## Amazon ECR permissions @@ -61 +75,0 @@ HealthOmics Analytics auto accepts data if your service policy has the correct R -Before the HealthOmics service can run a workflow in a container from your private Amazon ECR repository, you create a resource policy for the container. The policy grants permission for the HealthOmics service to use the container. You add this resource policy to each private repository referenced by the workflow. @@ -63 +76,0 @@ Before the HealthOmics service can run a workflow in a container from your priva -###### Note @@ -65 +78 @@ Before the HealthOmics service can run a workflow in a container from your priva -The private repository and the workflow must be in the same region. +### Running workflows with cross-account containers @@ -67 +80 @@ The private repository and the workflow must be in the same region. -The following sections describe the required policy configurations. +If different AWS accounts own the workflow and the container, you need to configure the following cross-account permissions: @@ -69 +82 @@ The following sections describe the required policy configurations. -###### Topics + 1. Update the Amazon ECR policy for the repository to explicitly grant permission to the account that owns the workflow. @@ -71 +84 @@ The following sections describe the required policy configurations. - * Create a resource policy for the Amazon ECR repository + 2. Update the service role for the account that owns the workflow to grant it access to the container image. @@ -73 +85,0 @@ The following sections describe the required policy configurations. - * Amazon ECR repository policies for shared workflows @@ -76,0 +89 @@ The following sections describe the required policy configurations. +The following example demonstrates an Amazon ECR resource policy that grants access to the account that owns the workflow. @@ -78 +91 @@ The following sections describe the required policy configurations. -### Create a resource policy for the Amazon ECR repository +In this example: @@ -80 +93 @@ The following sections describe the required policy configurations. -Create a resource policy to allow the HealthOmics service to run a workflow using a container in the repository. The policy grants permission for the HealthOmics service principal to access the required Amazon ECR actions. + * Workflow account ID: 111122223333 @@ -82 +95 @@ Create a resource policy to allow the HealthOmics service to run a workflow usin -Follow these steps to create the policy: + * Container repository account ID: 444455556666 @@ -84 +97 @@ Follow these steps to create the policy: - 1. Open the [private repositories](https://console.aws.amazon.com/ecr/repositories) page in the Amazon ECR console and select the repository you're granting access to. + * Container name: samtools @@ -86 +98,0 @@ Follow these steps to create the policy: - 2. From the side bar navigation, select **Permissions**. @@ -88 +99,0 @@ Follow these steps to create the policy: - 3. Choose **Edit JSON**. @@ -90 +100,0 @@ Follow these steps to create the policy: - 4. Choose **Add Statement**. @@ -92 +101,0 @@ Follow these steps to create the policy: - 5. Add the following policy statement and then select **Save Policy**. @@ -96,3 +105 @@ Follow these steps to create the policy: - "Statement": [ - { - "Sid": "omics workflow access", + "Statement": [{ @@ -104 +111 @@ Follow these steps to create the policy: - "ecr:GetDownloadUrlForLayer", + "ecr:BatchCheckLayerAvailability", @@ -106 +113,13 @@ Follow these steps to create the policy: - "ecr:BatchCheckLayerAvailability" + "ecr:GetDownloadUrlForLayer" + ] + }, + // Explicitly allow access to the service role of the account that owns the workflow + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/DemoCustomer" + }, + "Action": [ + "ecr:BatchCheckLayerAvailability", + "ecr:BatchGetImage", + "ecr:GetDownloadUrlForLayer" @@ -111,0 +131 @@ Follow these steps to create the policy: +To complete the setup, add the following policy statement to the service role of the account that owns the workflow. The policy grants permission for the service role to access the “samtools” container image. Make sure to replace the account numbers, container name, and region with your own values. @@ -113,0 +134,6 @@ Follow these steps to create the policy: + { + "Sid": "CrossAccountEcrRepoPolicy", + "Effect": "Allow", + "Action": ["ecr:BatchCheckLayerAvailability", "ecr:BatchGetImage", "ecr:GetDownloadUrlForLayer"], + "Resource": "arn:aws:ecr:us-west-2:444455556666:repository/samtools" + } @@ -117 +143,3 @@ Follow these steps to create the policy: -HealthOmics automatically allows a shared workflow to access the Amazon ECR repository while the workflow is running in the subscriber's account. You don't need to grant additional repository access for shared workflows. +###### Note + +HealthOmics automatically allows a shared workflow to access the Amazon ECR repository in the workflow owner's account, while the workflow is running in the subscriber's account. You don't need to grant additional repository access for shared workflows. For more information see [Sharing HealthOmics workflows](https://docs.aws.amazon.com/omics/latest/dev/sharing-workflows.html). @@ -203,0 +232,39 @@ You can also deny Amazon ECR permissions to specific subscribers, as shown in th +## Lake Formation permissions + +Before you use analytics features in HealthOmics, configure default database settings in Lake Formation. + +###### To configure resource permissions in Lake Formation + + 1. Open the [Data catalog settings](https://console.aws.amazon.com/lakeformation/home#default-permission-settings) page in the Lake Formation console. + + 2. Uncheck the IAM access control requirements for databases and tables under **Default permissions for newly created databases and tables**. + + 3. Choose **Save**. + + + + +HealthOmics Analytics auto accepts data if your service policy has the correct RAM permissions, such as the following example. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "omics:*" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ram:AcceptResourceShareInvitation", + "ram:GetResourceShareInvitations" + ], + "Resource": "*" + } + ] + } +