search

aws-amplify / amplify-backend

Home to all tools related to Amplify's code-first DX (Gen 2) for building fullstack apps on AWS
Apache License 2.0
185 stars 62 forks source link

support custom permission boundaries #1899

Open josefaidt opened 2 months ago

josefaidt commented 2 months ago

Environment information

n/a

Description

When bootstrapping an account and region with a custom permissions boundary, it would be nice if the boundary was applied to Amplify-created stacks and resources

cdk bootstrap --custom-permissions-boundary <iam-policy-name>

As a workaround, we can apply this manually to resources in the backend

import { defineBackend } from '@aws-amplify/backend';
import { auth } from './auth/resource';
import { data } from './data/resource';
import { Aspects, CfnResource, Stack } from "aws-cdk-lib";
import { IConstruct } from "constructs";

/**
 * @see https://docs.amplify.aws/react/build-a-backend/ to add storage, functions, and more
 */
const backend = defineBackend({
  auth,
  data,
});

const rootScope = Stack.of(backend.auth.resources.userPool).node.scope

if (rootScope) {
  Aspects.of(rootScope).add({
    visit(node: IConstruct) {
      if (
          CfnResource.isCfnResource(node) &&
          (node.cfnResourceType == 'AWS::IAM::Role' || node.cfnResourceType == 'AWS::IAM::User')
      ) {
        node.addPropertyOverride('PermissionsBoundary', 'arn:aws:iam::<REDACTED ACCOUNT ID>:policy/product-pb');
      }
    },
  });
}
ykethan commented 2 months ago

Marking as feature request for further evaluation.