If you are using the eks.Cluster
or eks.FargateCluster
construct we need you to take action. Other users are not affected and can stop reading.
Impact
eks.Cluster
and eks.FargateCluster
constructs create two roles that have an overly permissive trust policy.
The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g KubernetesManifest
, HelmChart
, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.
The second, referred to as the default MastersRole, is provisioned only if the mastersRole
property isn't provided and has permissions to execute kubectl
commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.
Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole
permissions to assume it. For example, this can happen if another role in your account has sts:AssumeRole
permissions on Resource: "*"
.
CreationRole
Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:
MastersRole
Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole
property. The role in question can be located in the IAM console. It will have the following name pattern:
Patches
The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.
The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to #25674 for a detailed discussion of options.
Workarounds
CreationRole
There is no workaround available for CreationRole.
MastersRole
To avoid creating the default MastersRole, use the mastersRole
property to explicitly provide a role. For example:
new eks.Cluster(this, 'Cluster', {
...
mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin')
});
References
#25674
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
If you are using the
eks.Cluster
oreks.FargateCluster
construct we need you to take action. Other users are not affected and can stop reading.Impact
eks.Cluster
andeks.FargateCluster
constructs create two roles that have an overly permissive trust policy.The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g
KubernetesManifest
,HelmChart
, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.The second, referred to as the default MastersRole, is provisioned only if the
mastersRole
property isn't provided and has permissions to executekubectl
commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate
sts:AssumeRole
permissions to assume it. For example, this can happen if another role in your account hassts:AssumeRole
permissions onResource: "*"
.CreationRole
Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:
*-ClusterCreationRole-*
MastersRole
Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the
mastersRole
property. The role in question can be located in the IAM console. It will have the following name pattern:*-MastersRole-*
Patches
The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.
The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to #25674 for a detailed discussion of options.
Workarounds
CreationRole
There is no workaround available for CreationRole.
MastersRole
To avoid creating the default MastersRole, use the
mastersRole
property to explicitly provide a role. For example:References
#25674
If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.