-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(DynamoDB): Narrow global table policy permissions to use specific actions instead of a wildcard #23529
Comments
We don't claim to support this, and also won't be doing this by default for a few reasons. Doing this by default would incur additional cost in some cases, additionally there are different levels of security standards which can be enabled. On top of this, there's no guarantee that SecurityHub rules won't change over time, which would come with a maintenance cost. A combination of CFN Guard and aspects may be a way to address this down the line, see this RFC for more info As for this specific issue, I changed it to a feature request to narrow the permissions to only what is necessary just in this case. Thanks for the request 🙂 |
I found the code comments saying:
Does anyone have any idea where did the AWS Support recommendation come from? |
Gotcha! - what I'd love to see is an opt-in way of telling CDK "do not deploy anything not compatible with XYZ SecurityHub standards". Thank you for the link to RFC, excited to see how it's going to evolve down the line 👀 |
This issue was for the existing Instead, the Be aware that there are additional deployment steps involved in a migration from Here are some other resources to get you started (using
|
Describe the bug
When using Amazon DynamoDB Global Tables with AWS CDK as described in https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_dynamodb-readme.html#amazon-dynamodb-global-tables the generated IAM policy fails the
[IAM.21] IAM customer managed policies that you create should not allow wildcard actions for services
AWS Foundational Security Best Practices controls check.SecurityHub does offer remediation instructions but I believe that CDK should not create non-SecurityHub compliant policies by default.
Expected Behavior
When using
replicationRegions
prop inTable
construct the generated IAM policy should be fully SecurityHub compliant.Current Behavior
The generated rule fails the following check:
Example generated IAM rule looks like this:
Reproduction Steps
Provision a DynamoDB table, for instance using the following snippet:
Go to SecurityHub and notice that
myTable
will trigger aIAM customer managed policies that you create should not allow wildcard actions for services
low severity check from AWS Foundational Security Best Practices v1.0.0 standard.Possible Solution
Scope down the generated policy in order to avoid granting permission for all actions on provisioned DDB table.
According to Using IAM with global tables documentation, only the following permissions are required:
Then again, a comment in the CDK codebase seems to suggest that this documentation is incorrect (?)
https://github.com/aws/aws-cdk/blob/main/packages/@aws-cdk/aws-dynamodb/lib/table.ts#L1621
Additional Information/Context
No response
CDK CLI Version
2.55.1
Framework Version
No response
Node.js Version
16.16.0
OS
MacOS 13.1 (22C65)
Language
Typescript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: