fix: Fix BYOB app role to only modify FS roles (#454)

This change ensures that root application roles cannot be used to modify themselves and they are just used for creating and modifying file system roles which have a permission boundary
awslabs · Apr 21, 2021 · 35f6cce · 35f6cce
1 parent 8e89282
commit 35f6cce
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/...ces/lib/data-source/access-strategy/roles-only/__tests__/application-role-methods.test.js b/...ces/lib/data-source/access-strategy/roles-only/__tests__/application-role-methods.test.js
@@ -290,8 +290,8 @@ describe('toCfnResources', () => {
                       ],
                       Effect: 'Allow',
                       Resource: [
-                        'arn:aws:iam::1122334455:role/swb-IhsKhN8GsLneiis11ujlb8-*',
-                        'arn:aws:iam::1122334455:policy/swb-IhsKhN8GsLneiis11ujlb8-*',
+                        'arn:aws:iam::1122334455:role/swb-IhsKhN8GsLneiis11ujlb8-fs-*',
+                        'arn:aws:iam::1122334455:policy/swb-IhsKhN8GsLneiis11ujlb8-fs-*',
                       ],
                       Sid: 'RoleAndPolicyManagement',
                     },
@@ -304,7 +304,7 @@ describe('toCfnResources', () => {
                         },
                       },
                       Effect: 'Allow',
-                      Resource: 'arn:aws:iam::1122334455:role/swb-IhsKhN8GsLneiis11ujlb8-*',
+                      Resource: 'arn:aws:iam::1122334455:role/swb-IhsKhN8GsLneiis11ujlb8-fs-*',
                       Sid: 'RoleCreation',
                     },
                   ],

diff --git a/...s/lib/data-source/access-strategy/roles-only/helpers/entities/application-role-methods.js b/...s/lib/data-source/access-strategy/roles-only/helpers/entities/application-role-methods.js
@@ -201,15 +201,15 @@ function toRoleCfnResource(appRoleEntity, swbMainAccountId) {
                     'iam:GetRolePolicy',
                   ],
                   Resource: [
-                    `arn:aws:iam::${accountId}:role/${qualifier}-*`,
-                    `arn:aws:iam::${accountId}:policy/${qualifier}-*`,
+                    `arn:aws:iam::${accountId}:role/${qualifier}-fs-*`,
+                    `arn:aws:iam::${accountId}:policy/${qualifier}-fs-*`,
                   ],
                 },
                 {
                   Sid: 'RoleCreation',
                   Effect: 'Allow',
                   Action: 'iam:CreateRole',
-                  Resource: `arn:aws:iam::${accountId}:role/${qualifier}-*`,
+                  Resource: `arn:aws:iam::${accountId}:role/${qualifier}-fs-*`,
                   Condition: {
                     StringEquals: {
                       'iam:PermissionsBoundary': boundaryPolicyArn,