IAM safety in the CDK #286
Labels
@aws-cdk/aws-iam
Related to AWS Identity and Access Management
Comments
debora-ito
added
the
@aws-cdk/aws-iam
|
Solved by #978 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently the toolkit always passes
IAMandIAM_NAMEDcapabilities when creating/updating stacks. This is not a secure default as it technically allows anyone deploying stacks to create IAM roles and modify IAM policies.Idea (by @RomainMuller): associate this to the environment? Also, we should be able to identify what type of IAM capability is needed for a deploying a specific stack and indicate to users what they should do.
Idea (by @rix0rrr): add an interactive mode where "cdk deploy" asks you if you want to proceed when making IAM-related modifications, and provide details on what changes.
Another thing to consider when designing this solution is allowing a separation between stacks that include security-related resources (and can only deployed by certain people in the org) and app stacks.
We should also find a way to regress test explicitly IAM policy widening
@attias suggested: interactive mode in the toolkit which identifies "access denied" errors while deploying and allows the user to add permissions to the user that performs the deployment (given there's another profile for an admin that the toolkit can use)
The text was updated successfully, but these errors were encountered: