dataall icon indicating copy to clipboard operation
dataall copied to clipboard

Published 20 hours ago verified publisher icon data-dot-all

Implement least privilege principle for cloudfront, lambda and db migration stacks

Open mourya-33 opened this issue 10 months ago • 6 comments

…front permissions

Feature or Bugfix

  • Bugfix

Relates

- <URL or Ticket>

Security

Please answer the questions below briefly where applicable, or write N/A. Based on OWASP 10.

  • Does this PR introduce or modify any input fields or queries - this includes fetching data from storage outside the application (e.g. a database, an S3 bucket)? N/A
    • Is the input sanitized? N/A
    • What precautions are you taking before deserializing the data you consume? N/A
    • Is injection prevented by parametrizing queries? N/A
    • Have you ensured no eval or similar functions are used? N/A
  • Does this PR introduce any functionality or component that requires authorization? N/A
    • How have you ensured it respects the existing AuthN/AuthZ mechanisms? N/A
    • Are you logging failed auth attempts? N/A
  • Are you using or adding any cryptographic features? N/A
    • Do you use a standard proven implementations? yes
    • Are the used keys controlled by the customer? Where are they stored? N/A
  • Are you introducing any new policies/roles/users? N/A
    • Have you used the least-privilege principle? How? Yes, by removing the * for cloudfront permissions and explicitly specifying the distribution id arn.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

mourya-33 avatar Mar 30 '24 07:03 mourya-33

Leaving in draft state until additional permission restrictions added to lambda roles and dbmigration role

noah-paige avatar Apr 01 '24 16:04 noah-paige

Hi @mourya-33 Can you merge main into your branch? That way we can see your changes better

dlpzx avatar Apr 08 '24 15:04 dlpzx

Sure @dlpzx

mourya-33 avatar Apr 08 '24 15:04 mourya-33

@dlpzx @noah-paige I merged changes from main and reopened the PR

mourya-33 avatar Apr 08 '24 16:04 mourya-33

Hi @mourya-33 I am reviewing the code. Di you test the PR? If so, what tests did you do?

dlpzx avatar Apr 10 '24 15:04 dlpzx

Yes @dlpzx i am running a few more tests and will update the list of tests performed here by tomorrow.

mourya-33 avatar Apr 10 '24 18:04 mourya-33

Hi @mourya-33 - left one minor comment and can you run ruff format and commit the changes ( I see the ruff workflow is failing)

I will do a quick test in the meantime

noah-paige avatar Apr 12 '24 20:04 noah-paige

@noah-paige @dlpzx Here are the tests and validations performed for this PR.

  1. Deploy to AWS
  2. Link/Unlink Environment
  3. Create/Delete Notebooks
  4. Create/Delete ML Studio
  5. Create/Delete Pipelines
  6. Add/Import/Delete Datasets

Verified the loggroups for graphql, esproxy and awsworker as well which are now manually created from the lambda-api stacks.

mourya-33 avatar Apr 12 '24 21:04 mourya-33

Updated the files for ruff format check as well

mourya-33 avatar Apr 12 '24 21:04 mourya-33

Tested:

  • [x] CICD Pipeline Completes
  • [x] CodePipeline CB Policy Updated
  • [x] Cross Account Cloudfront Role Updated
  • [x] DB Migration Role Updated
  • [x] Lambda Roles Updated
  • [x] Lambda Functions Work and Still write to same CW Logs (GraphQL, AWSWorker, ESProxy)

noah-paige avatar Apr 15 '24 01:04 noah-paige