Adding EC2 Image builder and Cloud9 service owned resources

Author: SwaraGandhi

service_control_policies/README.md

@@ -41,7 +41,7 @@ This policy statement is included in the [resource_perimeter_policy](resource_pe
         * `cloudformation:CreateChangeSet` - Required for using the [transforms hosted by AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/transform-reference.html) in your CloudFormation templates. 
         * `s3:GetObject`,`s3:GetObjectVersion`, `s3:PutObject`, `s3:PutObjectAcl`, `s3:ListBucket` - Required for importing and storing assets in Amazon S3 buckets, like Service Catalog CloudFormation templates, [AWS Data Exchange assets](https://docs.aws.amazon.com/data-exchange/latest/userguide/access-control.html#:~:text=Amazon%20S3%20permissions), [AWS Glue Studio transformations](https://docs.aws.amazon.com/glue/latest/dg/getting-started-min-privs-job.html#getting-started-min-privs-data), [AWS Elastic Beanstalk configuration files](https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/vpc-vpce.policy.html#AWSHowTo.S3.VPCendpoints.required-permissions.assets), [Amazon CloudWatch Synthetic monitoring canaries](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries.html), [Amazon SageMaker JumpStart models](https://docs.aws.amazon.com/sagemaker/latest/dg/jumpstart-deploy.html#jumpstart-config-security).
         * `ssm:Describe*`, `ssm:List*`, `ssm:Get*`, `ssm:SendCommand`, `ssm:CreateAssociation`, `ssm:StartSession`, `ssm:StartChangeRequestExecution`, `ssm:StartAutomationExecution` - Required for [AWS Systems Manager](https://aws.amazon.com/systems-manager/) global parameters, documents and automation runbooks. Some AWS services publish information about common artifacts as Systems Manager public parameters. For example, Amazon EC2 publishes information about Amazon Machine Images (AMIs) as public parameters. AWS automation or custom applications may need to access Systems Manager public documents also to support their operations. The AWS Systems Manager automation runbooks, such as AWS-ConfigureMaintenanceWindows, may be needed to configure maintenance windows in AWS Systems Manager.
-        * `imagebuilder:GetComponent` - Required for [EC2 Image Builder](https://aws.amazon.com/image-builder/) Amazon managed [AWSTOE components](https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-components.html).
+        * `imagebuilder:GetComponent`,`imagebuilder:GetImage` - Required for [EC2 Image Builder](https://aws.amazon.com/image-builder/) [managed components and images](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#sec-iam-ib-id-based-policies-resources).
         * `ecr:GetDownloadUrlForLayer`, `ecr:BatchGetImage` - Required for [Amazon Elastic Kubernetes Service (Amazon EKS) add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html), [GuardDuty EKS Runtime Monitoring](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty-eks-runtime-monitoring.html), and [Amazon SageMaker pre-built Docker images](https://docs.aws.amazon.com/sagemaker/latest/dg-ecr-paths/sagemaker-algo-docker-registry-paths.html).
         * `lambda:GetLayerVersion` - Required for CloudWatch Lambda Insights extension and [AWS AppConfig](https://aws.amazon.com/systems-manager/features/appconfig/?whats-new-cards.sort-by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc&blog-posts-cards.sort-by=item.additionalFields.createdDate&blog-posts-cards.sort-order=desc) Agent Lambda extension.
     * `ec2:Owner` condition key:
@@ -88,7 +88,7 @@ This policy statement is included in the [resource_perimeter_policy](resource_pe
 This policy statement is included in the [resource_perimeter_policy](resource_perimeter_policy.json) and limits access to trusted [EC2 Image Builder](https://aws.amazon.com/image-builder/) resources:
 
 * EC2 Image Builder resources that belong to your Organizations organization specified by the organization ID (`<my-org-id>`) in the policy statement.
-* Amazon managed [AWSTOE components](https://docs.aws.amazon.com/imagebuilder/latest/userguide/manage-components.html) that might be accessed by your identities and applications using your IAM credentials. To account for this access pattern, the `imagebuilder:GetComponent` is first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesImageBuilder"` then uses the `aws:PrincipalTag` condition key with `dp:exclude:resource:imagebuilder` tag set to `true` to restrict access to these actions to IAM principals tagged for access to EC2 Image Builder resources that do not belong to your organization.
+* Amazon [managed AWSTOE components and images](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html) that might be accessed by your identities and applications using your IAM credentials. To account for this access pattern, the `imagebuilder:GetComponent`, `imagebuilder:GetImage` are first listed in the `NotAction` element of the `"Sid":"EnforceResourcePerimeterAWSResources"` statement. `"Sid":"EnforceResourcePerimeterAWSResourcesImageBuilder"` then uses the `aws:PrincipalTag` condition key with `dp:exclude:resource:imagebuilder` tag set to `true` to restrict access to these actions to IAM principals tagged for access to EC2 Image Builder resources that do not belong to your organization.
 
 
 ### "Sid":"EnforceResourcePerimeterAWSResourcesECR"

service_control_policies/resource_perimeter_policy.json

@@ -25,6 +25,7 @@
             "ssm:StartChangeRequestExecution",
             "ssm:StartAutomationExecution",
             "imagebuilder:GetComponent",
+            "imagebuilder:GetImage",
             "ecr:GetDownloadUrlForLayer",
             "ecr:BatchGetImage",
             "lambda:GetLayerVersion",
@@ -93,7 +94,10 @@
       {
          "Sid": "EnforceResourcePerimeterAWSResourcesEC2ImageBuilder",
          "Effect": "Deny",
-         "Action": "imagebuilder:GetComponent",
+         "Action": [
+            "imagebuilder:GetComponent",
+            "imagebuilder:GetImage"
+         ],
          "Resource": "*",
          "Condition": {
              "StringNotEqualsIfExists": {

vpc_endpoint_policies/README.md

@@ -103,11 +103,16 @@ Example data access patterns:
 
 * *Using EC2 Image Builder components*. [EC2 Image Builder](https://aws.amazon.com/image-builder/) uses a publicly available Amazon S3 bucket to store and access managed resources, such as components. It also downloads the AWSTOE component management application from a separate Amazon S3 bucket. The call to Amazon S3 is unauthenticated and passes through the Amazon S3 VPC endpoint. 
 
-    * [AWS owned buckets](https://docs.aws.amazon.com/imagebuilder/latest/userguide/vpc-interface-endpoints.html):
+    * [AWS owned buckets](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security-iam-data-perimeter.html):
 
         * `arn:aws:s3:::ec2imagebuilder-toe-<region>-prod/*`,
         * `arn:aws:s3:::ec2imagebuilder-managed-resources-<region>-prod/components/*`
 
+* *AWS Cloud9 software packages.* [AWS Cloud9](https://aws.amazon.com/cloud9/) environments contain software packages required for AWS Cloud9 to function and support IDE features. To [download patches for these software packages](https://docs.aws.amazon.com/cloud9/latest/user-guide/vulnerability-analysis-and-management.html) from AWS Cloud9 repositories hosted on AWS owned Amazon S3 buckets, AWS Cloud9 makes an unauthenticated call to Amazon S3. The call originates from your VPC and passes through the Amazon S3 VPC endpoint. 
+ 
+    * [AWS owned buckets](https://docs.aws.amazon.com/cloud9/latest/user-guide/ec2-ssm.html#create-s3-endpoint)
+
+        * `arn:aws:s3:::static-<region>-prod-static-<string>/content/dependencies/*`
 
 * *Creation of containers with Amazon ECR images.* [Amazon Elastic Container Registry (Amazon ECR)](https://aws.amazon.com/ecr/) uses AWS owned Amazon S3 buckets to store Amazon ECR private image layers. When your containers download images from Amazon ECR, they must access Amazon ECR to get the image manifest and then Amazon S3 to download the actual image layers. A call to Amazon S3 is signed using a presigned URL, which is created by an Amazon ECR account and not the service principal. The call originates from your VPC and passes through the Amazon S3 VPC endpoint.  
 
@@ -176,11 +181,15 @@ Example data access patterns:
 
         * `arn:aws:ssm:<region>::automation-definition/*`
 
-* *Using EC2 Image builder components.* Image Builder uses the [AWS Task Orchestrator and Executor (AWSTOE)](https://docs.aws.amazon.com/imagebuilder/latest/userguide/toe-component-manager.html) component management application running on its Amazon EC2 build and test instances. If you are using Amazon managed components in your recipe, AWSTOE uses an instance profile to make a call to Image Builder to get those components, which passes through the Image Builder VPC endpoint. 
+* *Using EC2 Image builder components and images.* Image Builder uses the [AWS Task Orchestrator and Executor (AWSTOE)](https://docs.aws.amazon.com/imagebuilder/latest/userguide/toe-component-manager.html) component management application running on the Amazon EC2 build and test instances. If you are using Amazon managed components in your recipe, AWSTOE uses an instance profile to make a call to Image Builder to get those components, which passes through the Image Builder VPC endpoint. Similarly, if you are using Amazon managed images, Image Builder uses the instance profile to retrieve those images to set up and boot an EC2 instance. 
 
-    * [AWS owned component](https://docs.aws.amazon.com/imagebuilder/latest/userguide/vpc-interface-endpoints.html):
+    * [AWS owned components](https://docs.aws.amazon.com/imagebuilder/latest/userguide/vpc-interface-endpoints.html):
 
         * `arn:aws:imagebuilder:<region>:aws:component/*`
+    
+    * [Amazon managed images](https://docs.aws.amazon.com/imagebuilder/latest/userguide/security_iam_service-with-iam.html#sec-iam-ib-id-based-policies-resources):
+        
+        * `arn:aws:imagebuilder:<region>:aws:image/*`
 
 * *Using Elastic Kubernetes Service add-ons.* [Amazon Elastic Kubernetes Service (Amazon EKS)](https://aws.amazon.com/eks/) uses an Amazon EKS managed Amazon Elastic Container Registry (Amazon ECR) private repository to host Docker container images for [Amazon EKS add-ons](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html). Each Region has a dedicated private repository. If you use Amazon EKS managed node groups or want to have your Amazon EKS nodes pull the container images from the Amazon EKS private repository, your Amazon ECR VPC endpoint (com.amazonaws.region.ecr.api) policy must allow your principals to access the repository for the Region in which you are operating. 
     * [AWS owned repositories for EKS add-ons](https://docs.aws.amazon.com/eks/latest/userguide/add-ons-images.html):

vpc_endpoint_policies/imagebuilder_endpoint_policy.json

@@ -31,10 +31,12 @@
             "Effect": "Allow",
             "Principal": "*",
             "Action": [
-                "imagebuilder:GetComponent"
+                "imagebuilder:GetComponent",
+                "imagebuilder:GetImage"
             ],
             "Resource": [
-                "arn:aws:imagebuilder:<region>:aws:component/*"
+                "arn:aws:imagebuilder:<region>:aws:component/*",
+                "arn:aws:imagebuilder:<region>:aws:image/*"
             ],
             "Condition": {
                 "StringEquals": {

vpc_endpoint_policies/s3_endpoint_policy.json

@@ -92,7 +92,8 @@
                 "arn:aws:s3:::elasticbeanstalk-env-resources-<region>/*",
                 "arn:aws:s3:::elasticbeanstalk-<region>/*",
                 "arn:aws:s3:::jumpstart-cache-prod-<region>/*",
-                "arn:aws:s3:::jumpstart-cache-prod-<region>"
+                "arn:aws:s3:::jumpstart-cache-prod-<region>",
+                "arn:aws:s3:::static-<region>-prod-static-<string>/content/dependencies/*"
             ]
         },
         {