aws4-axios icon indicating copy to clipboard operation
aws4-axios copied to clipboard

Published 20 hours ago verified publisher icon jamesmbourne

chore(deps): update dependency aws-cdk-lib to v2.80.0 [security]

Open renovate[bot] opened this issue 6 months ago • 0 comments

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
aws-cdk-lib (source) 2.151.0 -> 2.80.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-35165

If you are using the eks.Cluster or eks.FargateCluster construct we need you to take action. Other users are not affected and can stop reading.

Impact

The AWS Cloud Development Kit (CDK) allows for the definition of Amazon Elastic Container Service for Kubernetes (EKS) clusters. eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy.

The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g KubernetesManifest, HelmChart, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.

The second, referred to as the default MastersRole, is provisioned only if the mastersRole property isn't provided and has permissions to execute kubectl commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.

Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it. For example, this can happen if another role in your account has sts:AssumeRole permissions on Resource: "*".

CreationRole

Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:

*-ClusterCreationRole-*

MastersRole

Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole property. The role in question can be located in the IAM console. It will have the following name pattern:

*-MastersRole-*

Patches

The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.

The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to https://github.com/aws/aws-cdk/issues/25674 for a detailed discussion of options.

Workarounds

CreationRole

There is no workaround available for CreationRole.

MastersRole

To avoid creating the default MastersRole, use the mastersRole property to explicitly provide a role. For example:

new eks.Cluster(this, 'Cluster', { 
  ... 
  mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') 
});

References

https://github.com/aws/aws-cdk/issues/25674

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to [email protected]. Please do not create a public GitHub issue.

Release Notes

aws/aws-cdk (aws-cdk-lib)

v2.80.0

Compare Source

⚠ BREAKING CHANGES
  • eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.
Features
Bug Fixes

Alpha modules (2.80.0-alpha.0)

v2.79.1

Compare Source

Bug Fixes
  • bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#​25272) (4c4014e)

Alpha modules (2.79.1-alpha.0)

v2.79.0

Compare Source

Features
Bug Fixes

Alpha modules (2.79.0-alpha.0)

Bug Fixes
  • servicecatalogappregistry: Revert deprecated method to keep deprecated method in alpha version (b20b123)
  • batch: JobDefinition's ContainerDefinition's Image is synthesized with [Object object] (#​25250) (b3d0d57)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Aug 06 '24 06:08 renovate[bot]