Organization UseCase - Reduce IAM privileges scope of SysdigSecureForCloudRole

[Chili-Man]

I'm not sure why Sysdig Secure needs to have full admin access to every single AWS account to run the cloud-connector (for the organizational setup). Looking through the modules, it really doesn't seem that it needs access to everything, which is concerning since the ECS tasks assume this role. The principle of least privilege should be applied to this particular role and just scoped to the AWS IAM permissions it needs.

[wideawakening]

hey @Chili-Man, thanks for pointing that out.

organizational setup is the most complicated one and we may need to clarify / pin permissions better.
i guess you're referencing to the default organizational OrganizationAccountAccessRole usage.

just updated the org example readme to clarify its usage better, but as stated, it's just the default suggestion.

An specific role is required, to enable Sysdig to impersonate and be able to provide
- For the scanning feature, the ability to pull ECR hosted images when they're allocated in a different account
- A solution to resolve current limitation when accessing an S3 bucket in a different region than where it's being called from

let us know if we can clarify it better or got any better alternative suggestion

[moustafab]

@wideawakening I was just thinking/considering the same thing as OP and I would love if you could document a permission set that can be used to create a role for cloud-connector in sub accounts with the principle of least privilege in mind. That way we could provision a role to be assumed in our sub-accounts and provide the alternate role without having to go through everything done here (and hopefully it could be maintained with any changes to secure-for-cloud needs).

[wideawakening]

• added some insights for the per-member custom role for scanning feature.
• also documented a bit more overall permissions

will be digging more into this topic soon.

https://github.com/sysdiglabs/terraform-aws-secure-for-cloud#required-permissions

https://github.com/sysdiglabs/terraform-aws-secure-for-cloud/blob/master/examples/organizational/README.md#role-summary