AWS managed-flink documentation change
Summary
Updated IAM role configuration guidance with warnings about permission changes impacting functionality
Security assessment
Added operational warnings about proper IAM role configuration but doesn't address a specific vulnerability
Diff
diff --git a/managed-flink/latest/java/security_iam_service-with-iam.md b/managed-flink/latest/java/security_iam_service-with-iam.md index 8effe5b7f..80f03291e 100644 --- a//managed-flink/latest/java/security_iam_service-with-iam.md +++ b//managed-flink/latest/java/security_iam_service-with-iam.md @@ -5 +5 @@ -Identity-based policiesResource-based policiesCross-account access to resourcesPolicy actionsPolicy resourcesPolicy condition keysACLsABACTemporary credentialsPrincipal permissionsService rolesService-linked roles +Application permissionsApplication management and lifecycle control permissionsIdentity-based policiesResource-based policiesACLsService rolesService-linked roles @@ -7 +7 @@ Identity-based policiesResource-based policiesCross-account access to resourcesP -Amazon Managed Service for Apache Flink was previously known as Amazon Kinesis Data Analytics for Apache Flink. +Amazon Managed Service for Apache Flink (Amazon MSF) was previously known as Amazon Kinesis Data Analytics for Apache Flink. @@ -11 +11 @@ Amazon Managed Service for Apache Flink was previously known as Amazon Kinesis D -Before you use IAM to manage access to Managed Service for Apache Flink, learn what IAM features are available to use with Managed Service for Apache Flink. +In Amazon MSF, you use IAM in the following different contexts: @@ -13,13 +13 @@ Before you use IAM to manage access to Managed Service for Apache Flink, learn w -IAM features you can use with Amazon Managed Service for Apache Flink IAM feature | Managed Service for Apache Flink support ----|--- -Identity-based policies | Yes -Resource-based policies | No -Policy actions | Yes -Policy resources | Yes -Policy condition keys | No -ACLs | No -ABAC (tags in policies) | Yes -Temporary credentials | Yes -Principal permissions | Yes -Service roles | No -Service-linked roles | No + * Application permissions: Control access by the application to external resources, such as Amazon S3, Amazon Kinesis Data Streams, or Amazon DynamoDB, that use IAM authentication. @@ -27 +15 @@ Service-linked roles | No -To get a high-level view of how Managed Service for Apache Flink and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the _IAM User Guide_. + * Application management and lifecycle control permissions: Control use of Amazon MSF API actions, such as [CreateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_CreateApplication.html), [StartApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_StartApplication.html), and [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html), which control the application lifecycle. For a complete list of all Amazon MSF API actions that you can specify in the `Action` element of an IAM policy statement, see [Actions defined by Amazon Kinesis Analytics V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html#amazonkinesisanalyticsv2-actions-as-permissions) in the _Service Authorization Reference_. @@ -29 +16,0 @@ To get a high-level view of how Managed Service for Apache Flink and other AWS s -## Identity-based policies for Managed Service for Apache Flink @@ -31 +17,0 @@ To get a high-level view of how Managed Service for Apache Flink and other AWS s -**Supports identity-based policies:** Yes @@ -33 +18,0 @@ To get a high-level view of how Managed Service for Apache Flink and other AWS s -Identity-based policies are JSON permissions policy documents that you can attach to an identity, such as an IAM user, group of users, or role. These policies control what actions users and roles can perform, on which resources, and under what conditions. To learn how to create an identity-based policy, see [Define custom IAM permissions with customer managed policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) in the _IAM User Guide_. @@ -35 +20 @@ Identity-based policies are JSON permissions policy documents that you can attac -With IAM identity-based policies, you can specify allowed or denied actions and resources as well as the conditions under which actions are allowed or denied. You can't specify the principal in an identity-based policy because it applies to the user or role to which it is attached. To learn about all of the elements that you can use in a JSON policy, see [IAM JSON policy elements reference](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html) in the _IAM User Guide_. +###### Topics @@ -37 +22 @@ With IAM identity-based policies, you can specify allowed or denied actions and -### Identity-based policy examples for Managed Service for Apache Flink + * Application permissions @@ -39 +24,30 @@ With IAM identity-based policies, you can specify allowed or denied actions and -To view examples of Managed Service for Apache Flink identity-based policies, see [Identity-based policy examples for Amazon Managed Service for Apache Flink](./security_iam_id-based-policy-examples.html). + * Application management and lifecycle control permissions + + * Identity-based policies for Managed Service for Apache Flink + + * Resource-based policies within Managed Service for Apache Flink + + * Access control lists (ACLs) in Managed Service for Apache Flink + + * Service roles for Managed Service for Apache Flink + + * Service-linked roles for Managed Service for Apache Flink + + + + +## Application permissions + +You control IAM permissions of an Amazon MSF application with the IAM role assigned to the application, as part of the application configuration. This IAM role determines application’s permissions to access other services, such as Amazon S3, Kinesis Data Streams, or DynamoDB, which use IAM for authorization. + +###### Warning + +Changing the permissions for a service role might break Amazon MSF functionality. Make sure you don't remove permissions for the application to download the application code from the Amazon S3 bucket, and send logs to Amazon CloudWatch. + +Assigning permissions to the application using resource-based policies isn't supported. You can't specify an Amazon MSF application as principal in a policy attached to the resource to be accessed. + +###### Topics + + * Permissions to access the application code and application logs + + * Cross-service confused deputy prevention @@ -41 +54,0 @@ To view examples of Managed Service for Apache Flink identity-based policies, se -## Resource-based policies within Managed Service for Apache Flink @@ -43 +55,0 @@ To view examples of Managed Service for Apache Flink identity-based policies, se -Amazon Managed Service for Apache Flink currently does note support resource-based access control. @@ -45 +56,0 @@ Amazon Managed Service for Apache Flink currently does note support resource-bas -## Cross-account access to resources from the Managed Service for Apache Flink application @@ -47 +58,7 @@ Amazon Managed Service for Apache Flink currently does note support resource-bas -To allow a Managed Service for Apache Flink application access to a resource such as an Amazon Kinesis stream or Amazon S3 bucket, you must create an IAM role in the account of the resource. The role must have sufficient permissions to access the resource. You must also add a trust policy that authorizes the entire account of the Managed Service for Apache Flink application to assume the role. +### Permissions to access the application code and application logs + +Amazon MSF also uses the application IAM role to access the application code uploaded in an Amazon S3 bucket, and to write the application logs to Amazon CloudWatch Logs. + +When you create or update the application using the AWS Management Console, choose **Create / update IAM role <role-name> with required policies** in the Application configuration, Amazon MSF automatically creates and modifies the IAM role assigning the required permissions to Amazon S3 and CloudWatch Logs. + +If you create the IAM role manually or if you create and manage the application using automation tools, you must add the following permissions to the application IAM role. @@ -53,0 +71 @@ To allow a Managed Service for Apache Flink application access to a resource suc + "Sid": "ReadCode", @@ -55,2 +73,7 @@ To allow a Managed Service for Apache Flink application access to a resource suc - "Principal": { - "AWS": "arn:aws:iam::Application-account-ID:root" + "Action": [ + "s3:GetObject", + "s3:GetObjectVersion" + ], + "Resource": [ + "arn:aws:s3:::bucket-name/path-to-application-code" + ] @@ -58,3 +81,8 @@ To allow a Managed Service for Apache Flink application access to a resource suc - "Action": "sts:AssumeRole", - "Condition": {} - } + { + "Sid": "ListCloudwatchLogGroups", + "Effect": "Allow", + "Action": [ + "logs:DescribeLogGroups" + ], + "Resource": [ + "arn:aws:logs:region:account-id:log-group:*" @@ -62,5 +90 @@ To allow a Managed Service for Apache Flink application access to a resource suc - } - -Additionally, the IAM role assigned to the Managed Service for Apache Flink application must allow assuming the role in the resource account. - - + }, @@ -68,2 +92,9 @@ Additionally, the IAM role assigned to the Managed Service for Apache Flink appl - "Version": "2012-10-17", - "Statement": [ + "Sid": "ListCloudwatchLogStreams", + "Effect": "Allow", + "Action": [ + "logs:DescribeLogStreams" + ], + "Resource": [ + "arn:aws:logs:region:account-id:log-group:/aws/kinesis-analytics/application-name:log-stream:*" + ] + }, @@ -71 +102 @@ Additionally, the IAM role assigned to the Managed Service for Apache Flink appl - "Sid": "AllowAssumingRoleInStreamAccount", + "Sid": "PutCloudwatchLogs", @@ -73,2 +104,6 @@ Additionally, the IAM role assigned to the Managed Service for Apache Flink appl - "Action": "sts:AssumeRole", - "Resource": "arn:aws:iam::Stream-account-ID:role/Role-to-assume" + "Action": [ + "logs:PutLogEvents" + ], + "Resource": [ + "arn:aws:logs:region:account-id:log-group:/aws/kinesis-analytics/application-name:log-stream:kinesis-analytics-log-stream" + ] @@ -79 +114,44 @@ Additionally, the IAM role assigned to the Managed Service for Apache Flink appl -For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the IAM User Guide. +### Cross-service confused deputy prevention + +When an Amazon MSF application calls a different AWS service, you can provide more granular access permissions. For example, if an IAM role is reused across multiple applications, an application may get access to a resource it should not be have access to. This is known as the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html). For information about how the accessed resource can restrict access to a specific Amazon MSF application, see [Cross-service confused deputy prevention](./iam-cross-service-confused-deputy-prevention.html). + +## Application management and lifecycle control permissions + +Actions to manage the application and its lifecycle, such as [CreateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_CreateApplication.html), [StartApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_StartApplication.html), and [UpdateApplication](https://docs.aws.amazon.com/managed-flink/latest/apiv2/API_UpdateApplication.html), are controlled through identity-based policies associated to the resource performing the action, such as an IAM user, IAM group, or a resource such as AWS Lambda calling the Amazon MSF API. + +###### Note + +The API and SDK controlling Amazon MSF application lifecycle is called Amazon Kinesis Analytics V2, for backward compatibility reasons. + +Assigning permissions for application lifecycle actions using resource-based policies attached to the Amazon MSF application isn't supported. The application IAM role isn't used to control access to the application lifecycle actions. You should not add application lifecycle permissions to the application role. + +The following table lists the IAM features you can use with Amazon MSF application lifecycle actions. + +IAM feature | Managed Service for Apache Flink support +---|--- +Identity-based policies | Yes +Resource-based policies | No +Policy actions | Yes +Policy resources | Yes +Policy condition keys | Yes +ACLs | No +ABAC (tags in policies) | Yes +Temporary credentials | Yes +Cross-service principal permissions | Yes +Service roles | No +Service-linked roles | No + + * For a high-level view of how Managed Service for Apache Flink and other AWS services work with most IAM features, see [AWS services that work with IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) in the _IAM User Guide_. + + * For information about the service-specific resources, actions, and condition context keys that you can use in IAM permission policies, see [Actions, resources, and condition keys for Amazon Kinesis Analytics V2](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonkinesisanalyticsv2.html) in the _Service Authorization Reference_. + + + + +###### Topics + + * Policy actions + + * Policy resources + + * Policy condition keys @@ -81 +159,10 @@ For more information, see [Cross account resource access in IAM](https://docs.aw -## Policy actions for Managed Service for Apache Flink + * ABAC + + * Temporary credentials + + * Principal permissions + +