Closed devopserio closed 3 months ago
antonbabenko
commented
3 months ago Just for the reference, there was a related comment in the past - https://github.com/terraform-aws-modules/terraform-aws-iam/commit/cc446936d2d3bfd04daa17ef81ae11fbe8c68bc7#r113925291
antonbabenko
commented
3 months ago This PR is included in version 5.39.1 :tada:
antonbabenko
commented
3 months ago Thanks @devopserio for this small fix.
github-actions[bot]
commented
2 months ago I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
Correcting this to use HTTPS. Adding a pull request to remediate a potential security issue within the "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" module that pertains to the configuration of IAM roles for OIDC (OpenID Connect) with GitHub Actions.
Issue Description: The current implementation of the IAM role's trust relationship within the module uses an HTTP URL (http://token.actions.githubusercontent.com) in the token.actions.githubusercontent.com:iss condition. This configuration poses a security risk as the HTTP protocol is not encrypted, making it susceptible to man-in-the-middle attacks where an attacker could intercept or alter the communication.
Security Risk: Using HTTP allows potential attackers to intercept the authentication tokens used between GitHub Actions and AWS, leading to unauthorized actions or access within AWS resources under certain conditions. The industry best practice is to use HTTPS to ensure the integrity and confidentiality of the communication between clients and servers.
Suggested Fix: To mitigate this issue and enhance the security of the module, I recommend updating the URL in the trust policy from HTTP to HTTPS. Here is the updated snippet for your reference:
json Copy code "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", "token.actions.githubusercontent.com:iss": https://token.actions.githubusercontent.com } } Benefits of the Fix: Updating to HTTPS ensures that the communication between GitHub Actions and AWS IAM via the token issuer URL is secure and encrypted, thereby safeguarding against eavesdropping and tampering by malicious entities.
I believe this change will significantly enhance the security of the module and its users, aligning it with best security practices and AWS recommendations.
Thank you for considering this issue. I appreciate the work you have put into developing this useful module and am looking forward to the continued improvement that enhances its security and reliability. Please let me know if I can provide any further information or assistance.