aws-cdk-rfcs icon indicating copy to clipboard operation
aws-cdk-rfcs copied to clipboard

Published 20 hours ago verified publisher icon aws

CDK in Secure Environments

Open rix0rrr opened this issue 4 years ago • 3 comments

PR Champion
# @rix0rrr

Description

CDK should support an effective workflow for environments where engineers are not allowed to create IAM permissions.

Progress

  • [x] Tracking Issue Created
  • [ ] RFC PR Created
  • [ ] Core Team Member Assigned
  • [ ] Initial Approval / Final Comment Period
  • [ ] Ready For Implementation
    • [ ] implementation issue 1
  • [ ] Resolved

rix0rrr avatar Jan 21 '20 17:01 rix0rrr

tracking

pgollucci avatar Dec 27 '20 23:12 pgollucci

I am not sure if this is the correct location to leave this feedback, but this is very much our teams top priority to resolve before we can start using cdk meaningfully. We have iam roles set up by our cloud it team and then we are supposed to use them instead of the way cdk generates roles with least privileges. This is fine and we can hard code that role into every construct even if its annoying, but the problem is all the derivative resources that are generated like helper lambda functions or any other resource that is create that requires a role. Those we don't even have a chance to set the custom role. We are left trying to monkeypatch the construct tree by matching parameter types and name and with some of the objects being created having nested constructs this gets messy and kind of like wackamole.

My dream implementation would be to have the ability to define a default iam role in the context json which would be used in lieu of the autogenerated least permissions role. At the very least some kind of hook to more elegantly intercept and replace derivative IAM roles which are generated.

Any timeline for some kind of solution here?

britzp avatar Feb 04 '22 19:02 britzp

@britzp I can only say that we are thinking of this use case very hard, so expect a lot of activity in this area soon 🙂.

While I have you, I have a bunch of follow-up questions about this 🙂.

How does this work, exactly? How do the Role(s) created by your Cloud Team look like? How do they know what permissions they need? How do they know what are the names of the resources in your application? Does the Role have just a bunch of "*" permissions? What Roles would like to pass to the generated helper resources, like the Functions you mentioned, that get created by the CDK? Does the Cloud Team somehow know these exist, and takes them into consideration when creating the Roles for you to use?

I'd love to hear from you on the details of how that looks in practice 🙂.

Thanks, Adam

skinny85 avatar Feb 05 '22 00:02 skinny85

It seems the work has been implemented and documentation published at https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide

markusl avatar Feb 09 '23 09:02 markusl