Update EC2 IAM Profile to least privilege required (trailofbits#14417)

Change overly permissive IAM Profile from using wildcard in list of actions required. Explictly define the 4 required ec2:Associate* Realized while investigating issue trailofbits#14383, though change does not resolve that issue
firasah · Feb 16, 2022 · b29b310 · b29b310
1 parent a103d8d
commit b29b310
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/docs/deploy-from-ansible.md b/docs/deploy-from-ansible.md
@@ -170,9 +170,12 @@ Additional variables:
                 "ec2:CreateVpc",
                 "ec2:DescribeInternetGateways",
                 "ec2:ModifyVpcAttribute",
-                "ec2:createTags",
+                "ec2:CreateTags",
                 "ec2:CreateSubnet",
-                "ec2:Associate*",
+                "ec2:AssociateVpcCidrBlock",
+                "ec2:AssociateSubnetCidrBlock",
+                "ec2:AssociateRouteTable",
+                "ec2:AssociateAddress",
                 "ec2:CreateRouteTable",
                 "ec2:AttachInternetGateway",
                 "ec2:DescribeRouteTables",