(aws-cdk): (Disallow CDK Bootstrap to default AdministratorAccess for cfn-exec-role)

[smislam]

Describe the feature

By default, CDK Bootstrap uses AdministratorAccess for cfn-exec-role when we run the cdk bootstrap command. This allows CDK to have higher privileges that the user is authorized to perform and poses a security concern. Feature request is to make '--cloudformation-execution-policies' parameter mandatory.

Use Case

In my account, the account administrator disabled using AdministratorAccess. The account also has Config rules to remove AdministratorAccess access if found. We also have a security policy that removes the CDK S3 bucket first day of a month. Since we require re-bootstrapping the account each month, it would be ideal to make cdk bootstrap '--cloudformation-execution-policies' parameter mandatory. That way, it will force us to pass the right cfn-exec-role than to have CDK default to AdministratorAccess role.

Proposed Solution

Make '--cloudformation-execution-policies' parameter mandatory

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.94.0 (build 987c329)

Environment details (OS name and version, etc.)

AWS Workspace (Microsoft Windows Server 2016 DataCenter 10.0.14393 Build 14393)

[indrora]

I can't give any specifics due to your situation, but the following articles may be of interest to you:

• https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.DefaultStackSynthesizer.html#cloudformationexecutionrolearn

Do keep in mind the AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/

[smislam]

Hi @indrora, Thank you for sending the permission boundary information. We are actually enforcing a few things to securing the accounts that also include permission boundaries:

1. Have IAM role with restricted permissions for users
2. Have AWS Config Rule to flag and remove AdministratorAccess role
3. Implement Permission Boundary to restrict users to allowed policies --> We haven't implemented this yet

As you already called out, the Permission Boundary will restrict users and cdk to only the permission they should have. However, we still need to remove the default AdministratorAccess role when bootstrapped without the --cloudformation-execution-policies' parameter. Our Security and Policy scanning tool finds the AdministratorAccess role and flagging the accounts status as violation. The Config Rules then removes that entry making CDK unusable.

aws-cdk/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts

Line 102 in 5046a9b

if (trustedAccounts.length === 0 && cloudFormationExecutionPolicies.length === 0) {

[otaviomacedo]

@smislam this is a possible solution, but keep in mind that it would degrade the bootstrapping experience for all the user who currently have no such constraints as you do.

Without knowing more about your specific circumstances, it's hard to tell, but couldn't you automate this process yourself, to make sure that the role has the right policies? Given that you do it monthly, I'm assuming you already have some CI/CD or bash script triggered by a cron job or something that does the bootstrap for you.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

[smislam]

@otaviomacedo , thank you for responding. Yes, I agree there are multiple ways of fixing this.

I am focusing on least privileged access as part of AWS best practices. Adding a requirement of cdk bootstrap '--cloudformation-execution-policies' is one way of enforcing best practices. This way the user can pass whatever role they want (including admin role - ideally they shouldn't) rather than CDK assuming that current user is admin and use admin by default. This approach will also enforce creation of non-admin roles for all users which to me may be ideal to do.