11

Request I saw today...

* A new, empty AWS Account
* The ability to run 120 high memory EC2 instances, including up to 80 instances of dl1.24xlarge, but don't worry, 40 of them will be spot instances. I'll probably just start with two m5.xlarge for simplicity.
* VPC Peering into our primary AWS network
* VPC Peering into a 3rd party's network (because we're paying them for this service)
* A couple cross-acount IAM roles
* Granting "AWS: AdministratorAccess" to said IAM roles

I'm a bit behind schedule, and this is urgent. When will you have this completed?

Comments
  • 5
    "Emmmmm.. Sorry, what?" would be my response to that. Administrator access to cross account roles. You're just asking for trouble with that.

    Just an example of what could happen:
    If I had access to the cross account role, I could use my admin access in the new account to create a new access key for any user and then use that access key to impersonate them to do something malicious. Why not hide behind the high memory machines or come up with a justification for why GPUs should be allowed and then do crypto mining.

    Sooooo much could go wrong with that kind of permissions. Principle of least privilege is a thing for a reason and AWS:AdministratorAccess is the complete opposite of that.
  • 4
    I don't even like giving people permission to modify their autoscaling groups. Ever since one team set their max instance count to 500 and then triggered a bug that caused infinite scaling and hit the account limit which of course broke other production deployments...
Add Comment