Skip to main content
Glean supports placing AWS permission boundaries on all IAM roles that are created by the Glean infrastructure orchestration. Glean supports permission boundaries that prevent Glean application IAM roles the ability to privilege escalate. This restricts the ability to create/modify, and pass IAM roles can restricted with permission boundaries.

Implementation Summary

Glean provides customers with a Terraform module to execute. This Terraform module creates the managed policies that get attached to roles as permission boundaries.
You must use the permission boundary policies that that are supplied by Glean. These must have the ARNs that are created by the Terraform. You have the ability to create these yourself, but they must use the policy that is provided by Glean.
After the customer creates the permission boundaries, customers are encouraged to set up an SCP on the AWS account requiring all IAM roles created by Glean’s infrastructure orchestration to have the boundary applied. Glean supplies a sample of this SCP in the permission boundary provisioning Terraform package. New customers have the option of having Glean automatically provision this during the first deployment.

The Permission Boundaries

Glean can provision 2 permission boundaries. They are:
  1. The Orchestration Role Boundary
    • ARN: arn:aws:iam::GLEAN-ACCOUNT-ID:policy/glean/perm-boundary/glean-OrchestrationRolePermBoundary
  2. The Application Role Boundary
    • ARN: arn:aws:iam::GLEAN-ACCOUNT-ID:policy/glean/perm-boundary/glean-ApplicationRolePermBoundary
The Orchestration Role Boundary is only applied to the IAM roles that run orchestration automation (I.e. run Terraform) in the AWS account. This permits the ability to create IAM roles that have the application role boundary attached. The Application Role Boundary is applied to all other Glean provisioned IAM roles. This is generally permissive, but explicitly prevents privilege escalation capabilities. This role restricts the ability to perform:
  1. IAM role creation/mutation
  2. IAM PassRole
Glean requires the IAM role ARNs above for these managed policies to be the same as depicted.

Set up

New Customers

New customers have the option to have this automatically provisioned during the initial deploy. Glean will provide the customer with the sample SCP to apply, and the customer would apply it to the account.

Existing Customers

For existing customers, please contact your Glean representative for the Terraform package. Once you receive this, you will:
  1. Make adjustments to set the Terraform backend
  2. Update tfvars files (you will need to update the region to be that of the Glean deployment)
  3. Run the Terraform
  4. Inform the Glean representative that this has been completed
  5. Glean will perform a deployment operation that will attach the permission boundaries everywhere
  6. Customers will set up the SCP as appropriate
I