Skip to content

Add ECS-007 and ECS-008: RunTask and StartTask #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
TIJMacLean wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add ECS-007 and ECS-008: RunTask and StartTask #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions data/paths/ecs/ecs-007.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
status: draft

id: ecs-007
name: "iam:PassRole + ecs:StartTask + ecs:RegisterContainerInstance"
category: new-passrole
services:
- iam
- ecs
- ec2

permissions:
required:
- permission: iam:PassRole
resourceConstraints: Target role ARN must be in the Resource section
- permission: ecs:StartTask
resourceConstraints: An existing task definition must be available
- permission: ecs:RegisterContainerInstance
resourceConstraints: Must be able to register an EC2 to an existing cluster
additional:
- permission: ecs:ListClusters
resourceConstraints: Helpful for finding the cluster name
- permission: ecs:ListContainerInstances
resourceConstraints: Helpful for finding the container identifiers
- permission: ecs:ListTaskDefinitions
resourceConstraints: Helpful for finding the task definition names
- permission: ec2:DescribeSubnets
resourceConstraints: Helpful for finding subnets for the network configuration
- permission: ec2:DescribeSecurityGroups
resourceConstraints: Helpful for finding security groups for the network configuration

description: A principal with `iam:PassRole`, `ecs:StartTask` and `ecs:RegisterContainerInstance` can register an EC2 to an ECS cluster, then override the command which the task definition runs on container startup to ensure they have access to the container. The IMDS credentials can then be extracted which have the permissions of the passed role.
26 changes: 26 additions & 0 deletions data/paths/ecs/ecs-008.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
status: draft

id: ecs-008
name: "iam:PassRole + ecs:RunTask"
category: new-passrole
services:
- iam
- ecs

permissions:
required:
- permission: iam:PassRole
resourceConstraints: Target role ARN must be in the Resource section
- permission: ecs:RunTask
resourceConstraints: An existing task definition must be available
additional:
- permission: ecs:ListClusters
resourceConstraints: Helpful for finding the cluster name
- permission: ecs:ListTaskDefinitions
resourceConstraints: Helpful for finding the task definition names
- permission: ec2:DescribeSubnets
resourceConstraints: Helpful for finding subnets for the network configuration
- permission: ec2:DescribeSecurityGroups
resourceConstraints: Helpful for finding security groups for the network configuration

description: A principal with `iam:PassRole` and `ecs:RunTask` can override the command which the task definition runs on container startup to ensure they have access to the container. The IMDS credentials can then be extracted which have the permissions of the passed role.
Loading