(rds): Permission Boundary Aspect with Secret Rotation #19649
Comments
patrickdomnick
added
feature-request
github-actions
bot
added
the
@aws-cdk/aws-rds
|
Hey @Crapatrick, thanks for opening the issue. Can you share a little bit more how you implement Permission Boundaries with Aspects? Thanks, |
skinny85
added
the
response-requested
|
Sure we are applying the boundary like this: import { CfnRole } from '@aws-cdk/aws-iam';
import { Annotations, CfnResource, IAspect, IConstruct } from '@aws-cdk/core';
export class IamRoleAttachPermissionBoundary implements IAspect {
public visit(node: IConstruct): void {
// See that we're dealing with a CfnRole
if (node instanceof CfnRole ) {
if (!node.permissionsBoundary) {
node.permissionsBoundary = 'arn:aws:iam::07354411483:policy/cdk-bootstrap-boundary-base-boundary';
}
} else if ( node instanceof CfnResource && node.cfnResourceType == 'AWS::IAM::Role' ) {
node.addPropertyOverride('PermissionsBoundary', 'arn:aws:iam::07354411483:policy/cdk-bootstrap-boundary-base-boundary');
}
}
} |
github-actions
bot
removed
the
response-requested
|
Thanks @Crapatrick! And can you also show how you use the Aspect (where do you apply it)? |
skinny85
added
the
response-requested
|
Permission Boundary part already discussed here #3242? |
github-actions
bot
removed
the
response-requested
skinny85
added
the
response-requested
|
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
github-actions
bot
added
the
closing-soon
We are using it on the App level. Meaning it should be applied to all Stacks.
This looks like the solution which we are currently using. Is it now? However, because of the nature of nested stacks and SAM, these roles can not be changed as it is a fixed construct. I will work on a minimal example featuring a RDS with a Single Rotation Lambda and this IAM Aspect with Permission Boundary. |
github-actions
bot
removed
closing-soon
|
@patrickdomnick any updates here? Do you maybe have that example? Thanks, |
skinny85
added
the
response-requested
|
Hi there, sorry for the long silence. I had tried a few different approaches which were unsuccessful. Anyway, here is a small examples with some additional information: import { Vpc } from "@aws-cdk/aws-ec2";
import { CfnRole } from "@aws-cdk/aws-iam";
import { DatabaseInstance, DatabaseInstanceEngine } from "@aws-cdk/aws-rds";
import { CfnFunction } from "@aws-cdk/aws-sam";
import { App, CfnResource, Construct, Stack, StackProps } from "@aws-cdk/core";
// Example Stack Created by Projen
export class MyStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps = {}) {
super(scope, id, props);
// Use some existing VPC or create a new one
const vpc = new Vpc(this, "Default");
// Create any Database
const db = new DatabaseInstance(this, "Database", {
engine: DatabaseInstanceEngine.POSTGRES,
vpc: vpc,
});
// Add Rotation for User
db.addRotationSingleUser();
}
}
// Set Environment Values for CDK
const env = {
account: process.env.CDK_DEFAULT_ACCOUNT,
region: process.env.CDK_DEFAULT_REGION,
};
// Create new App for the Stack
const app = new App();
const stack = new MyStack(app, "rdsrotation", { env });
// Apply boundary to every Role
const boundary = `arn:aws:iam::${env.account}:policy/cdk-bootstrap-boundary-base-boundary`;
stack.node.children.forEach((node) => {
// Works just fine for everything Cloudformation related
if (node instanceof CfnRole) {
if (!node.permissionsBoundary) {
node.permissionsBoundary = boundary;
}
} else if (
node instanceof CfnResource &&
node.cfnResourceType == "AWS::IAM::Role"
) {
node.addPropertyOverride("PermissionsBoundary", boundary);
} else if (node instanceof CfnFunction) {
// We have a sam.Application which is not compatible with boundary
// This function is in a new Stack and no Boundary will be applied
// We also can use Globals because we are using CloudFormation with a Application
node.permissionsBoundary = boundary;
}
});
// The Cloudformation Role can only create Roles with this $boundary attached to it
/*
{
"Condition": {
"StringEquals": {
"iam:PermissionsBoundary": [
"arn:aws:iam::*:policy/cdk-bootstrap-boundary-base-boundary"
]
}
},
"Action": [
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:PutRole*",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy"
],
"Resource": [
"*",
],
"Effect": "Allow"
},
...a lot of wildcard permissions to create resources
*/
app.synth(); |
github-actions
bot
removed
the
response-requested
|
@peterwoodworth I'm leaving this one for you to triage or reassign 🙂. |
mrgrain
added
p2
and removed
needs-triage
|
Are there any updates on this perhaps? I am currently running in the same problem. |
|
This cannot be configured currently through the specified application when using In the meantime, instead of using SAM (which our methods use under the hood), you can deploy your own password rotation lambda. All of our rotation lambdas are posted here: https://github.com/aws-samples/aws-secrets-manager-rotation-lambdas |
|
Unfortunately the request for permission boundary support has been open for over 2 years on the rotation lambda project side: aws-samples/aws-secrets-manager-rotation-lambdas#27 I don't suppose there is any chance CDK will provide a workaround by not using SAM under the hood? |
|
Facing similar challenge. Anyone that has a workaround? |
|
We are facing same issue, do you have any known workaround? |
Description
Using RDS Secrets Rotation will create a SAM Stack which does not apply IAM Permission Boundaries via Aspects because they are in a Nested Stack.
Use Case
Our Cloudformation Role can only create IAM Roles with attached Permission Boundaries, which we roll out via Aspects.
Proposed Solution
Use a different approach for the Secrets Rotation Lambda which does not rely on SAM.
Other information
No response
Acknowledge
The text was updated successfully, but these errors were encountered: