aws-stepfunctions-tasks: Add IAM policy condition to the auto-generated IAM policy document

[helseidy1046]

Describe the feature

We have been setting up a new AWS account that uses EventBridge with step functions. While using EventBridgePutEvents state to directly emit events from the state machines, we notice that it will automatically create an IAM policy with events:putEvents action and the specified eventBus in props.

In our setup we wanted to add an additional IAM policy condition on events:source key to ensure each state machine is allowed to act as that source. That's to have better integrity over who can put what events on the shared event bus.

Use Case

Have control over the auto-generated IAM policies of step functions state constructs.

This ensures that even if the step functions object is tinkered with intentionally or unintentionally, it won't be able to emit events as any other source. As long as the IAM policy is restricting it.

This will allow us to monitor IAM policies, create verification aspects on them, etc.

Proposed Solution

Add an extra property in EventBridgePutEventsProps or even the parent TaskStateBaseProps called conditions. Then when constructing the state, use can pass additional conditions if needed.

export class MyEmitEventTask extends EventBridgePutEvents {
    ...
    super(scope, id, {
      entries: [
        {
          detailType: "type",
          source: "source",
          eventBus: "bus",
          detail: {"user": "123"},
        },
      ],
      conditions: {
         "StringEquals": {
            "events:souce": "xyz"
         }
      }
    });
}

Other Information

The alternative we have been using is doing this through a lambda function which has this policy configured manually. So it would be step functions has lambda:invoke policy, lambda as events:putEvents policy with the source condition.

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.133.0

Environment details (OS name and version, etc.)

[pahud]

Yes we should allow user to specify conditions in EventBridgePutEventsProps and pass it all the way to the policy statement here. Making this a p2 and we welcome pull requests to move this forward.

[pahud]

I just checked the doc here for the iam policies but I can't find any sample with the event:source condition for that. I am guessing this would look something like below but I am not quite sure. Is this something you expect? Are you able to configure that to restrict the event source or have you seen any relevant document with samples to address this concern?

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringEquals": {
                    "events:source": "<YOUR_STATE_MACHINE_ARN>"
                }
            },
            "Action": "events:PutEvents",
            "Resource": [
                "arn:aws:events:us-east-1:XXXXXXXXXXXX:event-bus/default",
                "arn:aws:events:us-east-1:XXXXXXXXXXXX:event-bus/MyEventBus1"
            ],
            "Effect": "Allow"
        }
    ]
}

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[aws-cdk-automation]

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.