Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update bootstrap template & CLI #22744

Closed
corymhall opened this issue Nov 2, 2022 · 1 comment
Closed

Update bootstrap template & CLI #22744

corymhall opened this issue Nov 2, 2022 · 1 comment
Assignees
@Naumel

Comments

@corymhall
Copy link
Contributor

corymhall commented Nov 2, 2022
edited by Naumel
Loading

Add two new flags to the bootstrap command.

CLI Flags

  • --example-permissions-boundary

If the user sets this to true then the bootstrap template will create a permission boundary policy with the base policy. It will also apply the permission boundary to the bootstrap cfn-exec IAM role. We will provide instructions on how to add additional policy statements to this managed policy. At a high level this can either be done by, 1. editing the template prior to bootstrapping, or 2. we can provide a link to the console where the user can edit the policy.

  • --custom-permissions-boundary <NAME>

If the user already has a permission boundary policy and they do not want the bootstrap template to create one, they can provide the name of the policy and the permission boundary will be applied to the bootstrap cfn-exec IAM role.

Bootstrap Template

PermissionsBoundary:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      PolicyDocument:
        Statement:
          # If permission boundaries do not have an explicit allow
          # then the effect is deny
          - Sid: ExplicitAllowAll
            Action:
              - "*"
            Effect: Allow
            Resource: "*"
          # Default permissions to prevent privilege escelation
          - Sid: DenyAccessIfRequiredPermBoundaryIsNotBeingApplied
            Action:
              - iam:CreateUser
              - iam:CreateRole
              - iam:PutRolePermissionsBoundary
              - iam:PutUserPermissionsBoundary
            Condition:
              StringEquals:
                iam:PermissionsBoundary:
                  Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-BootstrapPermissionBoundary-${AWS::AccountId}-${AWS::Region}
            Effect: Allow
            Resource: "*"
          - Sid: DenyPermBoundaryIAMPolicyAlteration
            Action:
              - iam:CreatePolicyVersion
              - iam:DeletePolicy
              - iam:DeletePolicyVersion
              - iam:SetDefaultPolicyVersion
            Effect: Deny
            Resource:
              Fn::Sub: arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-BootstrapPermissionBoundary-${AWS::AccountId}-${AWS::Region}
          - Sid: DenyRemovalOfPermBoundaryFromAnyUserOrRole
            Action: 
              - iam:DeleteUserPermissionBoundary
              - iam:DeleteRolePermissionBoundary
            Effect: Deny
            Resource: "*"
        Version: "2012-10-17"
      Description: "Bootstrap Permission Boundary"
      ManagedPolicyName: 
        Fn::Sub: cdk-${Qualifier}-BootstrapPermissionBoundary-${AWS::AccountId}-${AWS::Region}
      Path: /
Naumel added a commit that referenced this issue Nov 4, 2022
@Naumel
feat: bootstrap arguments for permissions boundary
e2db370 
#22744
@Naumel Naumel mentioned this issue Nov 4, 2022
Merged
4 tasks
mergify bot pushed a commit that referenced this issue Nov 23, 2022
@Naumel
feat: bootstrap arguments for permissions boundary (#22792)
6224b6d 
#22744

Users can now specify in the CDK CLI a [(permissions boundary) policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) to be applied on the Execution Role and all subsequent IAM users and roles of their app.

If you want to try out the feature, a good starting point is having the`--example-permissions-boundary`(or `--epb`) parameter for the `cdk botstrap`:
```
cdk boostrap --epb
```
This achieves a couple of things: a new policy will be created (if not already present) in the account being bootstrapped (`cdk-${qualifier}-permissions-boundary`) and it will be referenced in the bootstrap template. In order for the bootstrap to be successful, the credentials use must include `iam:getPolicy` and `iam:createPolicy` permissions.
This works pairs with #22913, as permissions boundary needs propagation.
You can inspect the policy via the console, retrieve it via aws cli or sdk and you can copy the structure to use on your own from `packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml`: Resources.CdkBoostrapPermissionsBoundaryPolicy

At this point you can edit the policy, add restrictions and see what scope would match your requirements.

For non-dev work, the suggestion is to use `--custom-permissions-boundary` (or `--cpb`):
```
cdk bootstrap --cpb "custom-policy-name"
```
The policy must be created and accessible for the credentials used to perform the bootstrap.

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [ ] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/main/INTEGRATION_TESTS.md)?
	* [ ] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@Naumel Naumel closed this as completed Jan 3, 2023
@github-actions
Copy link

github-actions bot commented Jan 3, 2023

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Naumel Naumel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@corymhall @Naumel