From 0004bcec7719d00c908f1123ad5263fe3aea549f Mon Sep 17 00:00:00 2001
From: Ole Markus With <o.with@sportradar.com>
Date: Sun, 23 May 2021 08:13:10 +0200
Subject: [PATCH] Only allow deletion of snapshots owned by the cluster

---
 pkg/model/iam/iam_builder.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index 6d51160f9c..8a851debb3 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -344,7 +344,7 @@ func (r *NodeRoleMaster) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 	}
 
 	if b.Cluster.Spec.SnapshotController != nil && fi.BoolValue(b.Cluster.Spec.SnapshotController.Enabled) {
-		addSnapshotPersmissions(p)
+		addSnapshotPersmissions(p, b.Cluster.GetName())
 	}
 	return p, nil
 }
@@ -783,17 +783,29 @@ func AddAWSLoadbalancerControllerPermissions(p *Policy, resource stringorslice.S
 	)
 }
 
-func addSnapshotPersmissions(p *Policy) {
+func addSnapshotPersmissions(p *Policy, clusterName string) {
 	p.Statement = append(p.Statement, &Statement{
 		Effect: StatementEffectAllow,
 		Action: stringorslice.Of(
 			"ec2:CreateSnapshot",
-			"ec2:DeleteSnapshot",
 			"ec2:DescribeAvailabilityZones",
 			"ec2:DescribeSnapshots",
 		),
 		Resource: stringorslice.Slice([]string{"*"}),
 	})
+	p.Statement = append(p.Statement, &Statement{
+		Effect: StatementEffectAllow,
+		Action: stringorslice.Of(
+			"ec2:DeleteSnapshot",
+		),
+		Resource: stringorslice.Slice([]string{"*"}),
+		Condition: Condition{
+			"StringEquals": map[string]string{
+				"aws:ResourceTag/KubernetesCluster": clusterName,
+			},
+		},
+	})
+
 }
 
 // addLegacyDNSControllerPermissions adds legacy IAM permissions used by the node roles.