Adding headers in STS Calls for Confused Deputy

aws-cloudformation / cloudformation-cli

The CloudFormation Provider Development Toolkit allows you to author your own resource providers and modules that can be used by CloudFormation.

Apache License 2.0

318 stars 161 forks source link

Adding headers in STS Calls for Confused Deputy #934

Closed himanshs23 closed 1 year ago

himanshs23 commented 1 year ago

Description of changes:

Adding Headers in STS Calls for Confused Deputy Protection.
Test cases added
Will add more Unit Test post Integration Test

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

kddejong commented 1 year ago

Adding documentation links for this: https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry.html#cross-service-confused-deputy-prevention

ericzbeard commented 1 year ago

@himanshs23 Please add a detailed description to the PR documenting why we need the change, what effect it has on the CLI, what changes users need to make, etc. We need to understand the specific threat that is being mitigated, and how it changes the configuration and behavior of resource handlers.

ericzbeard commented 1 year ago

Closing for now while we re-evaluate this fix.