Skip to content

Commit

Permalink
fix(elasticloadbalancingv2): least privilege invoke permission
Browse files Browse the repository at this point in the history
  • Loading branch information
@Wurstnase
Wurstnase committed Mar 25, 2024
1 parent 432f97d commit 9ebb84a
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 4 deletions.
6 changes: 2 additions & 4 deletions packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/lib/lambda-target.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,7 @@ export class LambdaTarget implements elbv2.IApplicationLoadBalancerTarget {
* load balancer.
*/
public attachToApplicationTargetGroup(targetGroup: elbv2.IApplicationTargetGroup): elbv2.LoadBalancerTargetProps {
const grant = this.fn.grantInvoke(new iam.ServicePrincipal('elasticloadbalancing.amazonaws.com'));
grant.applyBefore(targetGroup);
this.fn.addPermission('Permission', { principal: new iam.ServicePrincipal('elasticloadbalancing.amazonaws.com'), sourceArn: targetGroup.targetGroupArn });
return this.attach(targetGroup);
}

Expand All @@ -30,8 +29,7 @@ export class LambdaTarget implements elbv2.IApplicationLoadBalancerTarget {
* load balancer.
*/
public attachToNetworkTargetGroup(targetGroup: elbv2.INetworkTargetGroup): elbv2.LoadBalancerTargetProps {
const grant = this.fn.grantInvoke(new iam.ServicePrincipal('elasticloadbalancing.amazonaws.com'));
grant.applyBefore(targetGroup);
this.fn.addPermission('Permission', { principal: new iam.ServicePrincipal('elasticloadbalancing.amazonaws.com'), sourceArn: targetGroup.targetGroupArn });
return this.attach(targetGroup);
}

Expand Down
13 changes: 13 additions & 0 deletions packages/aws-cdk-lib/aws-elasticloadbalancingv2-targets/test/lambda-target.test.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,3 +48,16 @@ test('Lambda targets create dependency on Invoke permission', () => {
return (def.DependsOn ?? []).includes('FunInvokeServicePrincipalelasticloadbalancingamazonawscomD2CAC0C4');
});
});

test('Lambda targets create least privilege permission', () => {
// WHEN
listener.addTargets('Targets', {
targets: [new targets.LambdaTarget(fn)],
});

// THEN
Template.fromStack(stack).hasResourceProperties('AWS::Lambda::Permission', {
Principal: 'elasticloadbalancing.amazonaws.com',
SourceArn: { Ref: 'LBListenerTargetsGroup76EF81E8' },
});
});

0 comments on commit 9ebb84a

Please sign in to comment.