Hello. I'm Miura (id:missasan), a member of Mackerel Team CRE.
We plan to conduct staged releases for Mackeral that will strengthen permission checks for AWS integration. Please see the noted details concerning points that we are asking users to address in conjunction with the releases.
This release is a change that enhances security, to enable use of Mackerel with greater peace of mind. Your cooperation is appreciated.
The release will be performed according to the following steps.
- 1. When using authentication by IAM role with AWS integration, setting restrictions on external IDs will be made mandatory.
- 2. When authentication by IAM role is used with AWS integration, permissions checking will be performed with greater frequency during acquisition of metrics.
1. When using authentication by IAM role with AWS integration, setting restrictions on external IDs will be made mandatory.
Until now, when using authentication by IAM role with AWS integration, setting restrictions on external IDs able to assume roles on the IAM role side was recommended. However, to enhance security, the setting of restrictions on external IDs will be required in a future release.
If external IDs are not restricted for IAM roles used for authentication, or if an ID differing from external IDs acquired on the Mackerel settings creation page is set, it will not be possible to perform registration or updating of AWS integration through the Web console or API execution.
Note that this change does not affect collection or posting of AWS integration metrics that have already been set. However, be aware that if restrictions on external IDs are not set, confused deputy problem may result.
In conjunction with this release, please perform the following.
- Following the release, the results of permission checks will be shown as invalid on the AWS integration settings screen for IAM roles for which external IDs have not been restricted. For these, perform settings to restrict external IDs.
For additional information on how to set up AWS integration using authentication by IAM role, see AWS Integration - Mackerel Help.
2. When authentication by IAM role is used with AWS integration, permissions checking will be performed with greater frequency during acquisition of metrics.
In an environment in which authentication by IAM role is used with AWS integration, a process is infrequently performed by which the granting of unnecessarily powerful permissions (change permissions, etc.) to IAM roles is checked during acquisition of metrics, and if such permissions are granted, collecting and posting metrics is not performed. Future releases will perform this with greater frequency for more appropriate performance of permission checks.
Note that metrics will not be collected and posted if IAM roles are found to have been given unnecessarily powerful permissions during regular permission checks.
Please note that after the release, logs of execution of relevant processes will be output to CloudTrail more frequently. See Help for details on what is output in logs.
In conjunction with this release, please perform the following.
- If IAM roles are granted unnecessarily powerful permissions, permission check results will be shown as invalid on the AWS integration settings screen. In this case, review and modify IAM role policies.
See AWS Integration - Mackerel Help for information on required permissions.
We apologize for any inconveniences associated with the changes to Mackerel. We appreciate your cooperation with our efforts to strengthen security.