Bug 2017635

Summary: Change permissions for IAM role policy
Product: Red Hat Hybrid Cloud Console (console.redhat.com) Reporter: Abhilash Kulkarni <abkulkar>
Component: Subscription WatchAssignee: Kevin Howell <khowell>
Status: CLOSED NOTABUG QA Contact: Jon Allen <jallen>
Severity: medium Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: brasmith, dbomhof, dozdowsk, gmccullo, gtanzillo, gtanzill, kcook, kdixon, ramkumar, sghai
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-02-24 19:14:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhilash Kulkarni 2021-10-27 04:57:56 UTC 
Description of problem:

The issue is that every 10 minutes some RHSM initiated task tries to copy this image:
ami-0f94fa2a144c74cf1
from region us-east-1 to the local AWS account.

As there are sensitive servers running inside this AWS account, it has been correctly identified by the security audit team that the IAM role used by the RHSM source is too slack giving RedHat permission to copy these sensitive servers to the us-east-1 region.

The IAM role was automatically generated by the RHSM cloud integration process, and had been neutered a little soon after establishing the subscription and after being a little shocked at the slack permissions it produced. 

Are there any guidelines for tightening up the IAM role that is used by this RHSM facility? Can we remove it altogether for piece of mind? Alternatively can we restrict it even more by removing the ec2:CreateImage permission?

From this link: https://access.redhat.com/documentation/en-us/subscription_central/2021/html-single/getting_started_with_the_subscriptions_service/index

However, in some cases an image cannot be copied. For example, if the image in your AWS account is owned and shared by a third party, public cloud metering is aware that the image exists, but cannot copy it. In that case, the public cloud metering function uses the IAM role and policy granted during subscriptions source creation to make a reference copy of the original image. This reference copy image is stored in your account. The reference copy is used to make another copy of the image that is stored temporarily in the Red Hat AWS account for inspection purposes. 

Please help to secure the AWS account to prevent unauthorised access to sensitive EC2 servers by tightening up this subscription facility.
This is the current policy for the IAM role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudigradePolicy",
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:ModifySnapshotAttribute",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:CopyImage",
                "ec2:CreateTags",
                "ec2:DescribeRegions",
                "cloudtrail:CreateTrail",
                "cloudtrail:UpdateTrail",
                "cloudtrail:PutEventSelectors",
                "cloudtrail:DescribeTrails",
                "cloudtrail:StartLogging",
                "cloudtrail:DeleteTrail"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:
Comment 2 Brad Smith 2021-10-27 17:55:51 UTC 
All of the actions listed in the policy are required for cloud meter to function. Removing any of them may cause unexpected failures and will likely result in the customer's source being updated as "unavailable".

Our customer-facing documentation generally explains the purpose of each action: https://access.redhat.com/documentation/en-us/subscription_central/2021/html/getting_started_with_the_subscriptions_service/assembly-adding-sources-publiccloudmetering#ref-actions-allowed-by-AWS-IAM-policy_assembly-adding-sources-publiccloudmetering-ctxt

Please let me know if you need more specific details about how we use each of those actions, and I can explain. We are aware that this policy also casts a wide net with its "*" resource definition, but we cannot easily shrink that without making complex and frequent changes to the policy itself to grant access to specific resources as they are created and destroyed.

If the customer is unable or unwilling to allow this broad level of access, my suggestion is to disable or remove the related source because cloud meter cannot perform its required operations without that access.
Comment 4 Abhilash Kulkarni 2021-11-23 20:07:24 UTC 
Hi, 

Below is the reply from the Customer

=======================================================
The Australian Government laws do not allow data that is classified as sensitive to be taken outside the Australia without being granted a specific exemption or agreement. These are the rules I must work with. The data inside the EC2 Images is classified as sensitive.

The RHSM public cloud metering process appears to want to copy an EC2 Image from the AWS ap-southeast-2 (Sydney) region into the AWS us-east-1 (N. Virginia) region which Australian laws do not allow.

In order to meet full compliance with Australian law I am forced to change the IAM policy used by RHSM  to the one below which breaks RHSM compliance. Fortunately so far, I do not seem to have suffered any negative side effects probably because the pool that is being managed by RHSM is very small (14 nodes).

New AWS IAM Policy for arn:aws:iam::828388250414:role/redhat-cloud-meter-role-2c5aa4b26280af2a

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CloudigradePolicy1",
            "Action": [
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeRegions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CloudigradePolicy2",
            "Action": [
                "cloudtrail:DescribeTrails"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "CloudigradePolicy3",
            "Action": [
                "cloudtrail:CreateTrail",
                "cloudtrail:UpdateTrail",
                "cloudtrail:PutEventSelectors",
                "cloudtrail:StartLogging",
                "cloudtrail:DeleteTrail"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:cloudtrail:us-east-1:828388250414:trail/prod-828388250414"
        }
    ]
}
========================================================
Comment 5 dozdowsk 2022-02-24 19:14:06 UTC 
Hi all,

As Brad notes above, the specific permission is necessary for the "is this RHEL" inspection to work. What we provision and what we do with that permission is in our docs, and customers for whom this permission is no good should ABSOLUTELY not use Cloud Metering and can instead rely on the lower fidelity OS-level agents for subs management.

There's a side concept in this ticket that the inspection would be less of a problem if it remained in AUS, and we agree that it is highly desirable that a broad range of Insights services operate in the "home" region of the systems that they're working with. I'm going to attach this case to our geographical concerns issue in Jira, which can be found here: https://issues.redhat.com/browse/RHIN-24

Because one half of this BZ is currently unfixable and we're addressing the other half in a trackable Jira issue, I'm going to close this BZ out.

Cheers,
Dan