Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(aws-cloudfront): cdk-nag and Lambda@EDGE issues - AwsSolutions-IAM4 rule #26194

Closed
robertd opened this issue Jul 1, 2023 · 3 comments
Closed

(aws-cloudfront): cdk-nag and Lambda@EDGE issues - AwsSolutions-IAM4 rule #26194

robertd opened this issue Jul 1, 2023 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@robertd
Copy link
Contributor

robertd commented Jul 1, 2023
edited
Loading

Describe the bug

When trying to apply cdk-nag project to my current aws-cdk project (CF + OAI + S3 solution) I started seeing errors I cannot suppress/fix.

It seems that NagSuppressions does not apply to cloudfront.experimental.EdgeFunction.

...

const edgeLambda = new cloudfront.experimental.EdgeFunction(this, `lambda-edge-${index}`, {
  runtime: config.runtime,
  handler: config.handler, // i.e.: "index.handler"
  code: lambda.Code.fromAsset(path.join(__dirname, config.path)), // i.e.: "lambda/common"
});

// Suppress rule for AWSLambdaBasicExecutionRole
NagSuppressions.addResourceSuppressions(
  edgeLambda,
  [
    {
      id: 'AwsSolutions-IAM4',
      reason: 'Suppress AwsSolutions-IAM4 for AWSLambdaBasicExecutionRole',
      appliesTo: [
        'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
      ],
    },
  ],
  true,
);

Expected Behavior

Expected cdk-nag suppression to work.

// Suppress rule for AWSLambdaBasicExecutionRole
NagSuppressions.addResourceSuppressions(
  edgeLambda,
  [
    {
      id: 'AwsSolutions-IAM4',
      reason: 'Suppress AwsSolutions-IAM4 for AWSLambdaBasicExecutionRole',
      appliesTo: [
        'Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole',
      ],
    },
  ],
  true,
);

Current Behavior

[Error at /lambda-edge/lambda-edge-0/ServiceRole/Resource] AwsSolutions-IAM4[Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]: The IAM user, role, or group uses AWS managed policies. An AWS managed policy is a standalone policy that is created and administered by AWS. Currently, many AWS managed policies do not restrict resource scope. Replace AWS managed policies with system specific (customer) managed policies.This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'Policy::<policy>' for AWS managed policies. Example: appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/foo'].

Reproduction Steps

See above.

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.86.0

Framework Version

No response

Node.js Version

18

OS

Ventura 13.4.1

Language

Typescript

Language Version

No response

Other information

No response
@robertd robertd added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Jul 1, 2023
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label Jul 1, 2023
@robertd robertd changed the title (aws-cloudfront): cdk-nag and Lambda@EDGE issues (aws-cloudfront): cdk-nag and Lambda@EDGE issues - AwsSolutions-IAM4 rule Jul 1, 2023
@robertd
Copy link
Contributor Author

robertd commented Jul 1, 2023

I found this cdklabs/cdk-nag#1306... but I wasn't able to get it to work with multiple edge functions associated with CF distro.

@pahud
Copy link
Contributor

pahud commented Jul 3, 2023

I guess the best place is to call out is cdk-nag as this looks like a cdk-nag feature?

@pahud pahud added response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jul 3, 2023
@github-actions
Copy link

github-actions bot commented Jul 5, 2023

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added closing-soon This issue will automatically close in 4 days unless further comments are made. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels Jul 5, 2023
@github-actions github-actions bot mentioned this issue Aug 1, 2023
Closed
@MarcDuQuesne MarcDuQuesne mentioned this issue Jan 22, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront bug This issue is a bug. closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@robertd @pahud