Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RFC: missing security-impacting changes from cdk diff "scrutiny report" #1299

Closed
rix0rrr opened this issue Dec 6, 2018 · 19 comments
Closed
Labels
feature-request A feature should be added or improved. package/tools Related to AWS CDK Tools or CLI

Comments

@rix0rrr
Copy link
Contributor

rix0rrr commented Dec 6, 2018

How's our driving?

Summary

CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:

This deployment will make potentially sensitive changes.
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────────────┬────────┬───────────────────────┬──────────────────────────────┬─────────────────────────────────┐
│   │ Resource                │ Effect │ Action                │ Principal                    │ Condition                       │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo}                 │ Allow  │ lambda:InvokeFunction │ Service:sns.amazonaws.com    │ "ArnLike": {                    │
│   │                         │        │                       │                              │   "AWS:SourceArn": "${MyTopic}" │
│   │                         │        │                       │                              │ }                               │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ Allow  │ sts:AssumeRole        │ Service:lambda.amazonaws.com │                                 │
└───┴─────────────────────────┴────────┴───────────────────────┴──────────────────────────────┴─────────────────────────────────┘
IAM Policy Changes
┌───┬─────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                │ Managed Policy ARN                                                             │
├───┼─────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴─────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘

Do you wish to deploy these changes (y/n)? 

Request for comments

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?

@rix0rrr
Copy link
Contributor Author

rix0rrr commented Dec 6, 2018

Here's a known list of resources that are not currently included in the diff:

  • AWS::IAM::User
  • Network ACLs

@rix0rrr rix0rrr reopened this Dec 10, 2018
@eladb eladb changed the title RFC: diff/prompt of security-impacting changes RFC: missing security-impacting changes from cdk diff "scrutiny report" Dec 17, 2018
@eladb eladb added enhancement package/tools Related to AWS CDK Tools or CLI @aws-cdk/aws-iam Related to AWS Identity and Access Management and removed @aws-cdk/aws-iam Related to AWS Identity and Access Management labels Dec 17, 2018
@srchase srchase added feature-request A feature should be added or improved. and removed enhancement labels Jan 3, 2019
@insanitybit
Copy link

I like this in principal, but is there a way to opt out? Sometimes I'm working on a dev setup, and it takes ~15-20 minutes to run all of my cdk deployments. Having to sit there and hit 'y' is actually quite a pain, and really slows me down. If I could run the deployment script I have and walk away from the computer, it would be great.

A flag like --accept-scrutiny-report would be really helpful for me.

@davidbarsky
Copy link

@insanitybit cdk deploy --require-approval=never might resolve your issue.

@insanitybit
Copy link

That looks like it'd be exactly what I want, thanks.

@skinny85
Copy link
Contributor

Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not.

@emanserav
Copy link

emanserav commented Oct 29, 2019

"CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:"

My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ):
I've just noticed that cdk diff is not displaying the ChangeSet in the AWS CF Console.
Why ? Any reason for that ?
( seeing the ChangeSet in AWS CF Console history is too late with cdk deploy)

I like seeing the changes in console using cdk diff but they should be identical to what I should be visualising in AWS CF ChangeSet before applying them. Are they identical ?

oups - just noticed this has been closed ...

@shivlaks
Copy link
Contributor

shivlaks commented May 4, 2020

Still relevant.

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?

Although the issue is closed, the conversation is not locked.

@gmiretti
Copy link

Using CfnInclude with template
https://s3.amazonaws.com/aws-transfer-resources/custom-idp-templates/aws-transfer-custom-idp-secrets-manager-apig.template.yml
cdk diff doesn't report any policy created with a role, is that expected?

@skinny85
Copy link
Contributor

It is not @gmiretti .... would you mind opening us a separate issue about this?

@gmiretti
Copy link

Bug reported as #8683

@skinny85
Copy link
Contributor

Bug reported as #8683

Thanks!

@jorgemaroto-eb
Copy link

Is this still an issue? I'm always seeing the warning, but not sure if it's kept updated.
I'm using:
├── [email protected]
├── [email protected]

@selsAT
Copy link

selsAT commented Feb 15, 2023

yeah please remove the warning if its not relevant, PLEASE

@nerdile
Copy link

nerdile commented Jun 30, 2023

CDK Deploy gives a warning that implies there are known issues preventing IAM policy diffs from showing up in the confirmation prompt, and directs users to read this issue for more information.

However, this issue reads like you know there is an issue, but you don't know what it is. There is no information on this page.

Why is it necessary for developers to consult this page on every deployment? It seems unnecessary. Should I assume that all similar warnings from the CDK are equally irrelevant? Please consider what action you are requesting from developers when they deploy, and then reword the known issue warning to make it clear, or remove it if there is no action required from developers.

akash1810 added a commit to guardian/service-catalogue that referenced this issue Jan 25, 2024
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack.

This change allows us to run:

```bash
npm -w cdk run diff:code
```

to yield something like this:

```console
Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue)
Creating a change set, this may take a while...
IAM Policy Changes
┌───┬─────────────────────────────────────┬────────────────────────────────────────┐
│   │ Resource                            │ Managed Policy ARN                     │
├───┼─────────────────────────────────────┼────────────────────────────────────────┤
│ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │
└───┴─────────────────────────────────────┴────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)

Resources
[~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379
 └─ [-] ManagedPolicyArns
     └─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
[~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace
 └─ [~] ContainerDefinitions (requires replacement)
     └─ @@ -11,7 +11,7 @@
        [ ]   "App": "service-catalogue"
        [ ] },
        [ ] "Essential": true,
        [-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2",
        [+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1",
        [ ] "LogConfiguration": {
        [ ]   "LogDriver": "awsfirelens",
        [ ]   "Options": {

✨  Number of stacks with differences: 1
```
akash1810 added a commit to guardian/service-catalogue that referenced this issue Jan 25, 2024
It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack.

This change allows us to run:

```bash
npm -w cdk run diff:code
```

to yield something like this:

```console
Stack ServiceCatalogue-CODE (deploy-CODE-service-catalogue)
Creating a change set, this may take a while...
IAM Policy Changes
┌───┬─────────────────────────────────────┬────────────────────────────────────────┐
│   │ Resource                            │ Managed Policy ARN                     │
├───┼─────────────────────────────────────┼────────────────────────────────────────┤
│ - │ ${steampipeTaskDefinition/TaskRole} │ arn:aws:iam::aws:policy/ReadOnlyAccess │
└───┴─────────────────────────────────────┴────────────────────────────────────────┘
(NOTE: There may be security-related changes not in this list. See aws/aws-cdk#1299)

Resources
[~] AWS::IAM::Role steampipeTaskDefinition/TaskRole steampipeTaskDefinitionTaskRole8DC44379
 └─ [-] ManagedPolicyArns
     └─ ["arn:aws:iam::aws:policy/ReadOnlyAccess"]
[~] AWS::ECS::TaskDefinition steampipeTaskDefinition steampipeTaskDefinition767BA166 replace
 └─ [~] ContainerDefinitions (requires replacement)
     └─ @@ -11,7 +11,7 @@
        [ ]   "App": "service-catalogue"
        [ ] },
        [ ] "Essential": true,
        [-] "Image": "ghcr.io/guardian/service-catalogue/steampipe:2",
        [+] "Image": "ghcr.io/guardian/service-catalogue/steampipe:1",
        [ ] "LogConfiguration": {
        [ ]   "LogDriver": "awsfirelens",
        [ ]   "Options": {

✨  Number of stacks with differences: 1
```
@nilroy
Copy link

nilroy commented Mar 16, 2024

Is this still relevant? I am seeing this issue linked in cdk deploy prompt and I am using 2.129.0. Could you please remove this warning message if its not relevant anymore. It creating confusion

mawallace added a commit to mawallace/aws-cdk that referenced this issue Mar 29, 2024
This was referenced Apr 1, 2024
@jonasfschuh
Copy link

I'm using CDK version 2.158.0 and for me this message still appears.

@nilroy
Copy link

nilroy commented Nov 24, 2024

Guys I am now at 2.170.0 and the message still appear. Could you please remove the message? Is there some reason why its still there? Also if there is some other way we can disable the message from our end that should also serve the purpose

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request A feature should be added or improved. package/tools Related to AWS CDK Tools or CLI
Projects
None yet
Development

No branches or pull requests