Open sandeephs1 opened 2 months ago
Hi @sandeephs1 thanks for the issue. This is a good feature that would harden security. The roles you were not able to find in the stack are CDK-auto created roles that are not explicitly declared in the stack. We could go to each of the CDK constructs to check the parameters, but I think an easier way of implementing permission boundaries is to apply them to all roles (including the weird-CDK created ones). We could use something like what is explained in the CDK docs.
Let us know if that helps out, we can always look at other alternatives. @SofiaSazonova
When creating environment the stack fails with below error:
After analysis it was found that: Below command was used to bootstrap account:
Due to company security policy the boundary must be applied to any IAM role created.
And since we not applying the mentioned boundary to the role above 3 role the "no permissions boundary allows the iam:CreateRole action" error message will show up if the action is blocked by a policy (and creating a boundary-less IAM role is).
So now the fix was to add the permission boundary to the 3 role created when creating environment but we did not find any create reference of the roles:
How can we add permission boundary to the above 3 roles and generically to any IAM role created in data.all?