amplify-backend Check IAM policies for new access

Check IAM policies for new access

Open sobolk opened this issue 1 year ago • 1 comments

Problem

Currently, we rely on PR reviews and unit tests to manage IAM policies.

This PR introduces a new mechanism that detects and flags elevation of privilege. The new check's intention is to drew reviewers and maintainers attention when IAM policies get more permissive. This is to increase a chance that accidental policy change is caught in review process.

Issue number, if available:

Changes

This check is adding new e2e test type.

The algorithm is:

Find the baseline version of repository
1. Which is base branch for PRs for pull request events
2. Previous commit for push events
Checkout, build and stash somewhere in filesystem the baseline version of repo
Vend packages from baseline version
Execute create amplify and deploy flow with baseline version
Read all policies from deployed stacks
Vend packages from current version
Reinstall dependencies for sample app created in previous steps
Redeploy the app
Read all policies from deployed stacks
Match and compare policies
Report any access elevation and if present fail the check.

Corresponding docs PR, if applicable:

Validation

Checklist

[ ] If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
[ ] If this PR requires a change to the Project Architecture README, I have included that update in this PR.
[ ] If this PR requires a docs update, I have linked to that docs PR above.
[ ] If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.