Limit iam:CreateServiceLinkedRole permission to specific role

[gabegorelick]

Github issue

Issue type

• Feature Idea

Build number

master

Summary

iam:CreateServiceLinkedRole was added in #205 and is a fairly major permission to grant to AutoSpotting. In reality, I think it only needs to create the AWSServiceRoleForEC2Spot service-linked role. Thus, its permissions could be limited to that specific resource.

See https://docs.aws.amazon.com/IAM/latest/UserGuide/list_identityandaccessmanagement.html.

Steps to reproduce

Deploy

Expected results

AutoSpotting only has permission to create the service-linked role it needs.

Actual results

AutoSpotting has permission to create any service-linked role.

[cristim]

@gabegorelick is it possible to restrict this permission only for the AWSServiceRoleForEC2Spot service-linked role?

[gabegorelick]

is it possible to restrict this permission only for the AWSServiceRoleForEC2Spot service-linked role?

Yes. I've verified the following works:

Effect: Allow
Action:
  - 'iam:CreateServiceLinkedRole'
Resource:
  - !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot'

I can throw together a PR if you want.

[cristim]

By all means!

My IAM policy knowledge needs a refresh, this is awesome, thanks!

[cristim]

Fixing this in the next version.