Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(dynamodb): Support iampolicy minimize credential #21673

Closed
wants to merge 2 commits into from
Closed

fix(dynamodb): Support iampolicy minimize credential #21673

wants to merge 2 commits into from

Conversation

watany-dev
Copy link
Contributor

@watany-dev watany-dev commented Aug 19, 2022
edited
Loading

fixes #20545

As noted in the link below, the following IAM Policy permissions appear sufficient for this support.

  • dynamodb:DescribeTable
  • dynamodb: UpdateTable

#20545 (comment)

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Aug 19, 2022

@github-actions github-actions bot added the p2 label Aug 19, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team August 19, 2022 04:08
@github-actions github-actions bot added effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1 and removed p2 labels Aug 19, 2022
@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: a981920
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

TheRealAmazonKendra
TheRealAmazonKendra requested changes Sep 1, 2022
View reviewed changes
Copy link
Contributor

@TheRealAmazonKendra TheRealAmazonKendra left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm concerned that this has the potential to break user's functionality. How do we know that these are the only two permissions needed?

@watany-dev
Copy link
Contributor Author

I'll explain some of the overlap with what I wrote in this link
#20545 (comment)

The IAMRole (onEvent) to which privileges are added in this process is granted to this Lambda.

https://github.com/aws/aws-cdk/blob/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56/packages/%40aws-cdk/aws-dynamodb/lib/replica-handler/index.ts

When checking the AWS SDK for this code, I confirmed that only two DynamoDB actions are available.

@TheRealAmazonKendra
Copy link
Contributor

I'll explain some of the overlap with what I wrote in this link #20545 (comment)

The IAMRole (onEvent) to which privileges are added in this process is granted to this Lambda.

https://github.com/aws/aws-cdk/blob/75bfce70dbc57fe688c96b3c5cbb67fc4e6fcc56/packages/%40aws-cdk/aws-dynamodb/lib/replica-handler/index.ts

When checking the AWS SDK for this code, I confirmed that only two DynamoDB actions are available.

The problem is that often under the hood, the visible APIs call other APIs that this change may now remove permissions for. This is especially true for CloudFormation calls. They are often doing more under the hood than is visible. This comment block gives me even more pause.

@aws-cdk-automation
Copy link
Collaborator

This PR has been in the CHANGES REQUESTED state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.

@aws-cdk-automation
Copy link
Collaborator

This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.

@aws-cdk-automation aws-cdk-automation added the closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. label Sep 30, 2022
aws-cdk-automation
aws-cdk-automation requested changes Sep 30, 2022
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Pull Request Linter fails with the following errors:

❌ Fixes must contain a change to an integration test file and the resulting snapshot.

PRs must pass status checks before we can provide a meaningful review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheRealAmazonKendra TheRealAmazonKendra TheRealAmazonKendra requested changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation requested changes

Assignees
No one assigned
Labels
closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(DynamoDB): Table generates policies not compliant with Security Hub
3 participants
@watany-dev @aws-cdk-automation @TheRealAmazonKendra