(custom-resources): ResponseURL visible in StepFunctions state

[rix0rrr]

Describe the bug

The ResponseURL is visible in the execution state of the StepFunctions state machine, and could be used by an attacker who is able to list the executions to falsify the custom resource result. Security has deemed this a medium priority security issue that needs attention.

---

Solution

• Write the ResponseURL to SSM Parameter Store as a SecretStringValue instead of keeping it in the state.
• Read it from there as well.

Niggly details

• There may be multiple executions at the same time so the exact parameter value should be unique and the reference stored in the state instead.
• Don't forget to clean up the value at the end (but don't fail the deployment if this fails)
• We should limit the permissions of the Lambda execution role, probably to something like arn:aws:ssm:us-east-2:123456789012:parameter/cdk/custom-resource-provider/${aws:userid}/* (though this.node.addr instead might be good enough as well)

---

While we're at it, might as well get rid of passing ResponseURL to user handlers based on a feature flag.

Expected Behavior

See above.

Current Behavior

See above.

Reproduction Steps

See above.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

-

Framework Version

No response

Node.js Version

-

OS

-

Language

Typescript, Python, .NET, Java, Go

Language Version

No response

Other information

No response

[arewa]

Hi @rix0rrr, I would like to work on this issue, but could you give some examples of execution outputs with ResponseURL? I looked through my StepFunctions executions and cannot find ResponseURL nowhere. Maybe I am looking at wrong place. For example this is typical output of one of the steps (I truncated the payload):

{
  "ExecutedVersion": "$LATEST",
  "Payload": {
   ...
  },
  "SdkHttpMetadata": {
    "AllHttpHeaders": {
      "X-Amz-Executed-Version": [
        "$LATEST"
      ],
      "x-amzn-Remapped-Content-Length": [
        "0"
      ],
      "Connection": [
        "keep-alive"
      ],
      "x-amzn-RequestId": [
        "d65b9a69-6e74-44c5-afae-fd55785c8815"
      ],
      "Content-Length": [
        "79337"
      ],
      "Date": [
        "Mon, 27 Jun 2022 04:28:59 GMT"
      ],
      "X-Amzn-Trace-Id": [
        "root=1-62b93204-6892d9f421e0569a2d807036;sampled=0"
      ],
      "Content-Type": [
        "application/json"
      ]
    },
    "HttpHeaders": {
      "Connection": "keep-alive",
      "Content-Length": "79337",
      "Content-Type": "application/json",
      "Date": "Mon, 27 Jun 2022 04:28:59 GMT",
      "X-Amz-Executed-Version": "$LATEST",
      "x-amzn-Remapped-Content-Length": "0",
      "x-amzn-RequestId": "d65b9a69-6e74-44c5-afae-fd55785c8815",
      "X-Amzn-Trace-Id": "root=1-62b93204-6892d9f421e0569a2d807036;sampled=0"
    },
    "HttpStatusCode": 200
  },
  "SdkResponseMetadata": {
    "RequestId": "d65b9a69-6e74-44c5-afae-fd55785c8815"
  },
  "StatusCode": 200
}

Or probably you mean the following link?