Open mainframenzo opened 1 year ago
I am in a desperate need of this. Currently when enabling logRetention in lambdas cfn constructs, a default policy is created for the role (even if you provide one with the logRetentionRole parameter) with the following:
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:DeleteRetentionPolicy",
"logs:PutRetentionPolicy"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
Which is breaking the cdk-nag rule set on my project. There is no way I can add a suppression to that policy without having that field public.
Describe the feature
I am trying to modify the defaultPolicy in the IAM.Role construct. The default policy is a great feature - I don't have to worry too much about base permissions when instantiating constructs that manage them, etc. However, I should be able to modify any CloudFormation that gets created by the CDK easily, and I can't seem to with defaultPolicy being private. Please make this public!
Use Case
As one use-case, I'm trying to add Cfn metadata (not CDK Cfn metadata) because I want to use cfn_nag and not CDK nag to remediate some issues in a CICD scanning step (note that below is not possible today):
For this particular use-case, I assign some additional permissions to a CodeBuild project, then try to cfn_nag remediate the role of the CodeBuild project permissions:
The CloudFormation template has my new permissions under the defaultPolicy, but my metadata shows up under a referenced role, which cfn_nag doesn't seem to care for as remediating, which is just one reason I want access to the defaultPolicy:
Proposed Solution
Just make the private defaultPolicy field public. It's my template, darn it! :)
Other Information
Open to other work-arounds.
Acknowledgements
CDK version used
2.89.0
Environment details (OS name and version, etc.)
All