Remove dangerous iam:PassRole and redundant SSM permissions from EC2 policy

harshavemula-ua · harshavemula-ua · commit aa26e2f29459 · 2025-11-13T22:24:15.000-06:00
Security fix: EC2 instances do not need iam:PassRole permission as they never create resources requiring role assignment. This was a privilege escalation risk.

Also removed SSM permissions (ssmmessages, ssm:SendCommand, ssm:GetCommandInvocation, etc.) as these are:
1. Already provided by the AmazonSSMManagedInstanceCore managed policy attached at line 71
2. Not needed by EC2 instances (these are for SENDING commands TO instances, not receiving them)

Kept S3 wildcard access as EC2 instances need to read/write datastream data.

This is the minimal security hardening change with zero functional impact.
diff --git a/infra/aws/terraform/modules/orchestration/iam_ec2.tf b/infra/aws/terraform/modules/orchestration/iam_ec2.tf
@@ -20,42 +20,12 @@ resource "aws_iam_policy" "ec2_policy" {
   policy = jsonencode({
     Version = "2012-10-17",
     Statement = [
-      {
-        Effect = "Allow",
-        Action = [
-          "ssmmessages:CreateControlChannel",
-          "ssmmessages:CreateDataChannel",
-          "ssmmessages:OpenControlChannel",
-          "ssmmessages:OpenDataChannel",
-          "ssm:DescribeInstanceInformation",
-          "ssm:SendCommand",
-          "ssm:GetCommandInvocation",
-          "ssm:PutComplianceItems",
-          "ssm:UpdateInstanceInformation"
-        ],
-        Resource = "*"
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "iam:PassRole"
-        ],
-        Resource = "*"
-      },
       {
         Effect = "Allow",
         Action = [
           "s3:*"
         ],
         Resource = "*"
-      },
-      {
-        Effect = "Allow",
-        Action = [
-          "ec2:DescribeInstances",
-          "ec2:DescribeTags"
-        ],
-        Resource = "*"
       }
     ]
   })
