search

cdklabs / cdk-ecr-deployment

A CDK construct to deploy docker image to Amazon ECR
Apache License 2.0
161 stars 34 forks source link

ECR deployment role contains wildcard permissions #494

Open kukushking opened 9 months ago

kukushking commented 9 months ago

ECRDeployment construct always adds a default policy (below) that contains wildcard permissions to the ECR deployment role, even if a custom role is passed to the construct. This unfortunately fails CDK-nag security checks, and requires suppression rules.

I would like to be able to implement least-privilege IAM policies i.e. limit IAM actions to the specific repo/s3 bucket arn.

If a custom role is passed, I expect as the default behavior to not have any additional policies added to the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:GetObject",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}
ndrpp commented 2 months ago

Can't this be solved by putting a .withoutPolicyUpdates() after the role? example:

   const ecrDeploy = new ecrdeploy.ECRDeployment(this, deploymentName, {
      src,
      dest,
      role: myRole.withoutPolicyUpdates()
    })