Nice idea, sounds very useful! But I'm still stuck with one question.
Doesn't this introduce a major security risk ? When your ec2 would get compromised, the attacker has the permissions to update your hosted zone. Because of this, he/she could potentially point your domain to their site.
Or I might be missing something, not quite sure.
I love your phraseology: "When your ec2 would get compromised", rather than "If". With a pessimistic attitude like that, you'd make a good security professional! (We're hiring!)
You are correct — it is always important to grant only the permissions that are required, lest the credentials accidentally, or intentionally, are used for other purposes. The above policy limits the potential changes that a specific Hosted Zone. I'm not sure whether it is possible to lock-down further to a specific Record Set.
For the really security-minded, you could have the instance call an AWS Lambda function that makes the call on its behalf. This way, the instance would not have any permissions to change the Route 53 information. The Lambda function would require such permission, but Lambda could be considered more "locked-down" than an Amazon EC2 instance.
You should be able to use CloudWatch Events to trigger the Lambda on EC2 instance state-changes. This way you don't even need to grant permissions to Lambda. Something like aws.amazon.com/premiumsupport/know...
Thank you for clearing that up! The lambda could also do some validation when updating the record set, so that the record could only point to targets that you own yourself.
In case anybody else is concerned about this, AWS now supports resource record set permissions with Route53, so you can dial in the EC2 IAM Role policy to allow route53:ChangeResourceRecordSets only on a given record set. Back when this article was originally written, it wasn't possible:
Nice idea, sounds very useful! But I'm still stuck with one question.
Doesn't this introduce a major security risk ? When your ec2 would get compromised, the attacker has the permissions to update your hosted zone. Because of this, he/she could potentially point your domain to their site.
Or I might be missing something, not quite sure.
I love your phraseology: "When your ec2 would get compromised", rather than "If". With a pessimistic attitude like that, you'd make a good security professional! (We're hiring!)
You are correct — it is always important to grant only the permissions that are required, lest the credentials accidentally, or intentionally, are used for other purposes. The above policy limits the potential changes that a specific Hosted Zone. I'm not sure whether it is possible to lock-down further to a specific Record Set.
For the really security-minded, you could have the instance call an AWS Lambda function that makes the call on its behalf. This way, the instance would not have any permissions to change the Route 53 information. The Lambda function would require such permission, but Lambda could be considered more "locked-down" than an Amazon EC2 instance.
You should be able to use CloudWatch Events to trigger the Lambda on EC2 instance state-changes. This way you don't even need to grant permissions to Lambda. Something like aws.amazon.com/premiumsupport/know...
Thank you for clearing that up! The lambda could also do some validation when updating the record set, so that the record could only point to targets that you own yourself.
In case anybody else is concerned about this, AWS now supports resource record set permissions with Route53, so you can dial in the EC2 IAM Role policy to allow route53:ChangeResourceRecordSets only on a given record set. Back when this article was originally written, it wasn't possible:
Announcement: aws.amazon.com/about-aws/whats-new...
Examples: docs.aws.amazon.com/Route53/latest...
{"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "route53:ChangeResourceRecordSets",
"Resource": "arn:aws:route53:::hostedzone/Z11111112222222333333",
"Condition": {
"ForAllValues:StringEquals":{
"route53:ChangeResourceRecordSetsNormalizedRecordNames": ["acme.example.com"]
}
}
}
]
}