Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-cdk-lib/aws-dynamodb: replicationRegions generate lots of AccessDenied errors in CloudTrail log #22065

Open
cartmanez opened this issue Sep 15, 2022 · 3 comments
Open

aws-cdk-lib/aws-dynamodb: replicationRegions generate lots of AccessDenied errors in CloudTrail log #22065

cartmanez opened this issue Sep 15, 2022 · 3 comments
Assignees
@mascur
Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. ddb-legacy-table This issue has to do with DynamoDB's legacy Table construct. Close after migration guide is out. effort/medium Medium work item – several days of effort p3

Comments

@cartmanez
Copy link

cartmanez commented Sep 15, 2022
edited
Loading

Describe the bug

When deploying, updating dynamodb table with replica regions, I observe access denied errors in cloud trail log

Expected Behavior

No access denied errors in cloudtrail log

Current Behavior

Bunch of AccessDenied errors generated during creation of a global table, also when adding/removing replica region, or removing whole table.

There are no errors in lambda logs or cloudformation stack events. Table construct works well with global tables.

However, these access denied errors trigger alarms we have for CIS control 3.1

Reproduction Steps

  1. Deploy the following stack:
class DynamoDbReplicaAccessDeniedDemo extends Stack {

 constructor(scope: Construct, id: string, props?: StackProps) {

        super(scope, id, props);

        new Table(this, 'DemoTable', {
            partitionKey: {
                name: 'keyA',
                type: AttributeType.STRING
            },
            replicationRegions: ['us-west-1', 'us-west-2', 'us-east-2', 'eu-central-1', 'eu-west-1', 'eu-west-2', 'eu-west-3', 'ap-southeast-1', 'ap-southeast-2', ]
        })
    }
}

new DynamoDbReplicaAccessDeniedDemo(app, 'ddb-replica-access-denied-demo', {
    env: {
        region: 'us-east-1'
    }
});
  1. Wait 15 minutes
  2. Query CloudTrail log group with CloudWatch Logs Insights:
fields eventTime, awsRegion, eventName, userIdentity.arn, errorCode, errorMessage, @message
| filter eventName='DescribeTable' and errorCode like /AccessDenied/
| sort eventTime desc
| limit 2000
  1. Notice there are bunch of AccessDenied errors like

User: arn:aws:sts:::assumed-role/ddb-replica-access-denied-IsCompleteHandlerService-XXXXXXXXX/ddb-replica-access-denied-IsCompleteHandlerYYYYYY-ZZZZZZZZZZ is not authorized to perform: dynamodb:DescribeTable on resource: arn:aws:dynamodb:us-east-2::table/ddb-replica-access-denied-demo-DemoTableXXXXXXX-PPPPPPPPPP because no identity-based policy allows the dynamodb:DescribeTable action

coming from all replica regions

Possible Solution

onEventHandler has dynamodb permissions in replica regions, while isCompleteHandler does not:

aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/table.ts

Line 1664 in 433a1fa

onEventHandlerPolicy.grantPrincipal.addToPrincipalPolicy(new iam.PolicyStatement({

I suppose that the assumption was that calling DescribeTable in a region X will require only permissions in region X. However, it looks like AWS under the hood invokes DescribeTable in every replica region for global tables.

Additional Information/Context

No response

CDK CLI Version

2.38.1 (build a5ced21)

Framework Version

No response

Node.js Version

v14.20.0

OS

GNU/Linux

Language

Typescript

Language Version

4.7.4

Other information

No response
@cartmanez cartmanez added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Sep 15, 2022
@github-actions github-actions bot added the @aws-cdk/aws-cloudtrail Related to AWS CloudTrail label Sep 15, 2022
@comcalvi comcalvi added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Sep 21, 2022
@mascur mascur added p1 @aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-dynamodb Related to Amazon DynamoDB and removed p2 @aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/aws-cloudtrail Related to AWS CloudTrail labels Sep 21, 2022
@mascur
Copy link
Contributor

mascur commented Sep 22, 2022

Hi @cartmanez,

Thank you for reporting this issue. I deployed a Stack using the code you provided and wasn't able to reproduce the issue you are having. Is there any additional information that you could provide that might help reproduce this issue?

@mascur mascur assigned mascur and unassigned comcalvi Sep 22, 2022
@cartmanez
Copy link
Author

Hi @mascur, thank you for looking into this.

Is you trail a multi-regional one? Access denied errors are happening in replica regions, not in the region where you deploy the stack.

Also, did you wait for 15 minutes or so before checking cloudtrail logs? They are usually delivered to log group with some delay

@mascur mascur added p2 and removed p1 labels Sep 27, 2022
@rix0rrr
Copy link
Contributor

rix0rrr commented Sep 21, 2023

This issue was for the existing Table construct, which used custom resources to implement table replication. We no longer recommend the use of the Table construct.

Instead, the TableV2 construct has been released in 2.95.1 (#27023) which maps to the AWS::DynamoDB::GlobalTable resource, has better support for replication and does not suffer from the issue described here.

Be aware that there are additional deployment steps involved in a migration from Table to TableV2. You need to do a RETAIN deployment, a delete deployment, then change the code to use TableV2 and then use cdk import. A link to a full guide will be posted once it is available.

Here are some other resources to get you started (using CfnGlobalTable instead of TableV2) if you want to get going on the migration:

@rix0rrr rix0rrr added the ddb-legacy-table This issue has to do with DynamoDB's legacy Table construct. Close after migration guide is out. label Sep 21, 2023
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mascur mascur

Labels
@aws-cdk/aws-dynamodb Related to Amazon DynamoDB bug This issue is a bug. ddb-legacy-table This issue has to do with DynamoDB's legacy Table construct. Close after migration guide is out. effort/medium Medium work item – several days of effort p3
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@pahud @rix0rrr @cartmanez @comcalvi @mascur