Skip to content

EKS overly permissive trust policies

Moderate
mrgrain published GHSA-rx28-r23p-2qc3 Jun 19, 2023

Package

npm @aws-cdk/aws-eks (npm)

Affected versions

>=1.57.0;<1.202.0

Patched versions

1.202.0
npm aws-cdk-lib (npm)
>=2.0.0;<2.80.0
2.80.0

Description

If you are using the eks.Cluster or eks.FargateCluster construct we need you to take action. Other users are not affected and can stop reading.

Impact

eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy.

The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g KubernetesManifest, HelmChart, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.

The second, referred to as the default MastersRole, is provisioned only if the mastersRole property isn't provided and has permissions to execute kubectl commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.

Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it. For example, this can happen if another role in your account has sts:AssumeRole permissions on Resource: "*".

CreationRole

Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:

*-ClusterCreationRole-* 

MastersRole

Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole property. The role in question can be located in the IAM console. It will have the following name pattern:

*-MastersRole-*

Patches

The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.

The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to #25674 for a detailed discussion of options.

Workarounds

CreationRole

There is no workaround available for CreationRole.

MastersRole

To avoid creating the default MastersRole, use the mastersRole property to explicitly provide a role. For example:

new eks.Cluster(this, 'Cluster', { 
  ... 
  mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') 
}); 

References

#25674

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

Severity

Moderate

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
High
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE ID

CVE-2023-35165

Weaknesses

Credits