cloud connectors role chaining #2960
Conversation
moukoublen
force-pushed
the
cloud_connectors_chaining
branch
from
34d5f72 to
e52824d
Compare
moukoublen
force-pushed
the
cloud_connectors_chaining
branch
from
540de53 to
54ed5af
Compare
moukoublen
force-pushed
the
cloud_connectors_chaining
branch
from
54ed5af to
a3154bf
Compare
| func InitializeAWSConfigCloudConnectors(ctx context.Context, cfg config.AwsConfig) (*aws.Config, error) { | ||
| // 1. Load initial config | ||
| // (TODO: check directly assuming the first role in chain and/or libbeataws.InitializeAWSConfig(cfg)) | ||
| // (TODO: consider os.Setenv("AWS_EC2_METADATA_DISABLED", "true")) |
There was a problem hiding this comment.
I am not sure what to consider, to set it or to check the behavior when it was previously set?
Also, in MKI we block the IMDS ip address, how it affect the flow?
There was a problem hiding this comment.
The comment was for me (I will remove them) to check if we need to use the AWS_EC2_METADATA_DISABLED in case we needed to remove the firewall rules. We don't (we checked the flow with @amirbenun a while ago), so it's all good.
No changes needed. I will remove both TODOs.
|
|
||
| const defaultDuration = 5 * time.Minute | ||
|
|
||
| // Chain Part 1 - Elastic Super Role Local |
There was a problem hiding this comment.
Super role is misleading term, indicate that the role permissions are elevated when it only should be allowed to assume the global role
There was a problem hiding this comment.
I believe this is something to discuss in RFC level, wdyt?
| ) | ||
| localSuperRoleCredentialsCache := aws.NewCredentialsCache(localSuperRoleProvider) | ||
|
|
||
| // Chain Part 2 - Elastic Super Role Global |
There was a problem hiding this comment.
Super role is misleading term, indicate that the role permissions are elevated when we need only audit (SecurityAudit built-in AWS)
There was a problem hiding this comment.
The global super role has not the audit policy, it has no policy part from the "assume anything". Feel free to refer RFC regarding the terminology.
| ) | ||
| globalSuperRoleCredentialsCache := aws.NewCredentialsCache(globalSuperRoleProvider) | ||
|
|
||
| // Chain Part 3 - Elastic Super Role Local |
There was a problem hiding this comment.
| // Chain Part 3 - Elastic Super Role Local | |
| // Chain Part 3 - Elastic Remote SecurityAudit |
| return fmt.Sprintf("%s-%s", resourceID, externalIDPart) | ||
| } | ||
|
|
||
| func InitializeAWSConfigCloudConnectors(ctx context.Context, cfg config.AwsConfig) (*aws.Config, error) { |
There was a problem hiding this comment.
I wonder if we better to have a more generic flow in case we need longer chain.
The chain can be part of the agent policy and be used also for non cloud connector use cases
There was a problem hiding this comment.
I thought about implementing it in a "loop" mode, but:
- this will eventually be moved to libbeat so a more generic approach can be implemented there
- After some tests that I just completed, there are even fewer steps now; it's the init and 2 extras assume instead of 3.
I believe a more generic approach (if it is worth the effort) can be implemented when that code gets transferred to libbeat.
Wdyt?
moukoublen
force-pushed
the
cloud_connectors_chaining
branch
2 times, most recently
from
bcc19af to
5c25106
Compare
moukoublen
force-pushed
the
cloud_connectors_chaining
branch
from
5c25106 to
3aaf8c5
Compare
Summary of your changes
Screenshot/Data
Related Issues
Fixes: #2556
Checklist
Introducing a new rule?