(pipelines/bootstrap): add Permission Boundary to bootstrap resources

[rix0rrr]

The cdk bootstrap command will be able to be invoked as follows:

$ cdk bootstrap --permissions-boundary=arn:aws:iam::account-id:policy/policy-name-with-path

This sets the CloudFormation Execution Role up to enforce its use.

When users add:

{
  "context": {
    "@aws-cdk/core.permissionsBoundary": "arn:aws:iam::account-id:policy/policy-name-with-path"
  }
}

To their cdk.json, all Roles in all stacks will be provisioned with that permission boundary automatically.

---

This is a 🚀 Feature Request

[redbaron]

Could you provide an example of Control Plane and Data plane calls?

[rix0rrr]

Could you provide an example of Control Plane and Data plane calls?

Sure. Control Plane calls are (typically) calls that configure services, while Data Plane calls are calls that use services.

Some examples:

Service	Control Plane	Data Plane
S3	CreateBucket, PutBucketPolicy	PutObject, GetObject
SQS	CreateQueue, PutQueuePolicy	SendMessage, ReceiveMessages, DeleteMessage
DDB	CreateTable, TagResource, UpdateTable	PutItem, Scan, Query

Some calls might be debatable. For example, ListBuckets could be considered a Control Plane call but it might equally well be considered a Data Plane call.

At the same time, it's reasonable to think that it's fine for applications to create some resources as part of their normal operation, like perhaps creating SQS Queues and SNS Topics on-demand, so it's not entirely cut-and-dry what calls should be allowed and disallowed for execution roles. But these are details that can be worked out; the bigger question is whether the whole scheme would have value to it in the first place.

[hoegertn]

One thing that comes to my mind is: How would I deploy Lambda functions with ops tasks using CDK if all roles are denied control plane access.

I am not sure this approach is really helpful or if it is a form of snake oil.

The main entry point for any attacker is still the repository itself and there is no way to mitigate this completely. So we need to make sure safeguards are in place here.

[Wenzil]

@hoegertn you still want to limit the damage if there is a breach

@rix0rrr I think this is a great option to have. We are anyway going with a similar approach using our custom bootstrap template. +1 for providing more secure defaults

[greg-aws]

I believe this issue can be closed once #14568 is merged. The use of the PermissionBoundary construct I think may satisfy the other aspect of this issue. @rix0rrr do you agree?

[patrickmryan]

This issue is still not resolved. While it is possible to add a permissions boundary on a CDK stack, the bootstrap process does not include the option to attach a boundary policy to the IAM roles created by the bootstrap. As a result, the bootstrap process will fail if it is executed in an environment where we are not permitted to create an IAM role without a boundary policy.

I forked the repo and will work on this feature myself.

[kjjuno]

@patrickmryan thank you! I very much need this feature as well. I am unable to bootstrap our account with the current version because of permission boundary issues.

[patrickmryan]

I wrote a blog post on getting around this issue. ***@***.***/bootstrapping-aws-cdk-in-a-secure-environment-9bc778ea6d94 Pat

On Fri, Feb 4, 2022 at 3:59 PM Kevin Johnson ***@***.***> wrote: @patrickmryan <https://github.com/patrickmryan> thank you! I very much need this feature as well. I am unable to bootstrap our account with the current version because of permission boundary issues. — Reply to this email directly, view it on GitHub <#12207 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADEHXMB3PCFC3HTV4LU3UXDUZQ43FANCNFSM4VGYVZLA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

-- ***@***.*** ***@***.*** https://www.facebook.com/patrick.m.ryan1 http://www.imageryan.com

[kjjuno]

@patrickmryan this is your blog post correct?
https://medium.com/@imageryan/bootstrapping-aws-cdk-in-a-secure-environment-9bc778ea6d94

[patrickmryan]

Yes, that's mine. pat

…

On Mon, Feb 7, 2022 at 12:05 PM Kevin Johnson ***@***.***> wrote: @patrickmryan <https://github.com/patrickmryan> this is your blog post correct? ***@***.***/bootstrapping-aws-cdk-in-a-secure-environment-9bc778ea6d94 — Reply to this email directly, view it on GitHub <#12207 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADEHXMGFTUFBJTODGJ3JXEDUZ73VBANCNFSM4VGYVZLA> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

-- ***@***.*** ***@***.*** https://www.facebook.com/patrick.m.ryan1 http://www.imageryan.com

[kjjuno]

works like a charm. Thanks so much!

[viktorchukhantsev]

@patrickmryan Thank you. Can you also please attach example policy for boundary in GH repo? I have issues with defining that policy due to lack of knowledge about AWS policies and boundary permissions.

[joehillen]

This indicates that support for this has been added, but I can't find a way to specify InputPermissionsBoundary during bootstrap.

aws-cdk/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

Line 45 in cdfa970

InputPermissionsBoundary:

[joehillen]

Ah ha! It's a secret option that is not documented here or in --help.

cdk bootstrap --custom-permissions-boundary MY_BOUNDARY