search

aws / aws-cdk

The AWS Cloud Development Kit is a framework for defining cloud infrastructure in code
https://aws.amazon.com/cdk
Apache License 2.0
11.57k stars 3.88k forks source link

CDK Bootstrap: PermissionBoundary not applied to all roles #28453

Open dverdonschot opened 9 months ago

dverdonschot commented 9 months ago

Describe the feature

PermissionBoundary is only applied to Cloudformation Execution Role when bootstrapping with option --custom-permission-boundary

cdk bootstrap --custom-permissions-boundary PermissionBoundary

The following roles currently do not get the PermissionBoundary when the Bootstrap is done with the command above:

DeploymentActionRole FilePublishingRole ImagePublishingRole LookupRole

Use Case

The organisation I work for has a PermissionBoundary that enforces all roles to also be created with the PermissionBoundary.

        {
            "Sid": "RestrictRoleCreation",
            "Effect": "Deny",
            "Action": [
                "iam:CreateRole",
                "iam:UpdateRole",
                "iam:PutRolePermissionsBoundary"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "iam:PermissionsBoundary": [
                        "arn:aws:iam::*:policy/PermissionBoundary"
                    ]
                }
            }
        },

Currently we have to bootstrap CDK using a custom bootstrap-template.yaml that applies the PermissionBoundary on all other roles. But sometimes this causes issues if someone later on runs cdk bootstrap without the template, and resources are updated without PermissionBoundary again...

Proposed Solution

Add below code to all roles created by bootstrap-template.yaml

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

I can make a PR for this if needed.

Other Information

Currently bootstrap-template.yaml only applies the below code for attaching the PermissionBoundary on CloudFormationExecutionRole:

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

Acknowledgements

CDK version used

v2.114.0

Environment details (OS name and version, etc.)

Ubuntu

tim-finnigan commented 9 months ago

Thanks for reaching out. It looks like this is a duplicate of https://github.com/aws/aws-cdk/issues/12207. Can you confirm or highlight any differences between these issues?

github-actions[bot] commented 9 months ago

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

dverdonschot commented 9 months ago

Sorry for responding this late, should have opened this issue after the holidays.

In the mentioned issue #12207 it shows that you can set the permissionBoundary with --custom-permissions-boundary only for the execution role. You can also use the cdk.json option to apply the permissionBoundary to all stacks in all resources.

But the problem is that cdk bootstrap is not performed from the stack with cdk.json, but from the cdk bootstrap command. CDK Bootstrap will still create the other roles, like the lookup role, without the permissionBoundary.

In the company that I work there is a PermissionBoundary that has a policy to only allow IAM Role creation if that role also uses the PermissionBoundary.

We can solve it currently by using a custom bootstrap-template.yml with the permissionBoundary added to the other roles.

      PermissionsBoundary:
        Fn::If:
          - PermissionsBoundarySet
          - Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
          - Ref: AWS::NoValue

But then we always need to use that template to bootstrap CDK.

Sometimes the existing CDK bootstrap get's broken or overwritten by a user, and then the user gets stuck creating a new bootstrap when they don't have the template, because the permissionBoundary is not applied to the other roles.

If we can just get the PermissionsBoundary code snippet applied to all roles by default, then we can bootstrap with 1 command and have the permissionBoundary attached to every role.

mrh-chain commented 8 months ago

@tim-finnigan would it be possible to get this re-opened? I just ran into this exact issue ;)

kswanny commented 7 months ago

+1 same issue