Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cdk): cdk deploy generates IAM roles that don't adhere to Security Hub compliance packs #21526

Closed
meghannoelle opened this issue Aug 9, 2022 · 2 comments
Closed

(aws-cdk): cdk deploy generates IAM roles that don't adhere to Security Hub compliance packs #21526

meghannoelle opened this issue Aug 9, 2022 · 2 comments
Assignees
@rix0rrr
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.

Comments

@meghannoelle
Copy link

Describe the bug

I noticed the following security issue via Security Hub for IAM roles created by the cdk deploy process (specifically the roles with Tags of {key: aws-cdk:bootstrap-role, value: deploy}):

Expected Behavior

I expected IAM policies generated by cdk deploy to down scope the KMS resource to avoid breaching Security Hub policies.

Current Behavior

The generated AWS CDK bootstrap roles are granted the following policy:
"Action": [ "kms:Decrypt", "kms:DescribeKey", "kms:Encrypt", "kms:ReEncrypt*", "kms:GenerateDataKey*" ], "Resource": "*"

Reproduction Steps

  • Create a new CDK app via cdk init
  • Deploy the following stack:
import { Stack, StackProps } from 'aws-cdk-lib';
import { Construct } from 'constructs';
import * as awsSecurityHub from 'aws-cdk-lib/aws-securityhub';

export class SecurityHubTestStack extends Stack {
  constructor(scope: Construct, id: string, props?: StackProps) {
    super(scope, id, props);

    new awsSecurityHub.CfnHub(this, 'SecurityHub');
  }
}
  • Go to Security Hub in AWS Console and locate the following security breach on cdk IAM roles:
    [KMS.2] IAM principals should not have IAM inline policies that allow decryption and re-encryption actions on all KMS keys

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.35.0 (build 5c23578)

Framework Version

No response

Node.js Version

v14.18.1

OS

MacOS

Language

Typescript

Language Version

No response

Other information

No response
@meghannoelle meghannoelle added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Aug 9, 2022
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Aug 9, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Aug 10, 2022

Duplicate of #19380

@rix0rrr rix0rrr marked this as a duplicate of #19380 Aug 10, 2022
@rix0rrr rix0rrr closed this as completed Aug 10, 2022
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rix0rrr rix0rrr

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management bug This issue is a bug. needs-triage This issue or PR still needs to be triaged.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rix0rrr @meghannoelle