From 7647d981457f0d0ebac15fd943f74c35efb359c0 Mon Sep 17 00:00:00 2001 From: sdamle Date: Sun, 10 May 2020 10:52:54 -0700 Subject: [PATCH 1/8] Validate the policy statements --- .../@aws-cdk/aws-iam/lib/policy-statement.ts | 46 +++++++++++++++++-- .../aws-iam/test/managed-policy.test.ts | 2 + .../aws-iam/test/policy-document.test.ts | 25 ++++++---- .../@aws-cdk/aws-iam/test/principals.test.ts | 7 ++- 4 files changed, 67 insertions(+), 13 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts index 24d99386a2391..df34dcdbd5ea9 100644 --- a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts +++ b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts @@ -33,8 +33,8 @@ export class PolicyStatement { resources: ensureArrayOrUndefined(obj.Resource), conditions: obj.Condition, effect: obj.Effect, - notActions: ensureArrayOrUndefined(obj.NotAction), - notResources: ensureArrayOrUndefined(obj.NotResource), + notActions: ensureArrayOrUndefined(obj.NotAction) ?? [], + notResources: ensureArrayOrUndefined(obj.NotResource) ?? [], principals: obj.Principal ? [ new JsonPrincipal(obj.Principal) ] : undefined, notPrincipals: obj.NotPrincipal ? [ new JsonPrincipal(obj.NotPrincipal) ] : undefined, }); @@ -58,7 +58,7 @@ export class PolicyStatement { private readonly condition: { [key: string]: any } = { }; private principalConditionsJson?: string; - constructor(props: PolicyStatementProps = {}) { + constructor(props: PolicyStatementProps = {actions: [], resources: []}) { // Validate actions for (const action of [...props.actions || [], ...props.notActions || []]) { if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)) { @@ -462,7 +462,7 @@ export type Conditions = Record; /** * Interface for creating a policy statement */ -export interface PolicyStatementProps { +export interface PolicyStatementBase { /** * The Sid (statement ID) is an optional identifier that you provide for the * policy statement. You can assign a Sid value to each statement in a @@ -531,6 +531,44 @@ export interface PolicyStatementProps { readonly effect?: Effect; } +interface PolicyStatementActions extends PolicyStatementBase { + /** + * List of actions to add to the statement + * + * @default - no actions + */ + readonly actions: string[]; +} + +interface PolicyStatementNotActions extends PolicyStatementBase { + /** + * List of not actions to add to the statement + * + * @default - no not-actions + */ + readonly notActions: string[]; +} + +interface PolicyStatementResources extends PolicyStatementBase { + /** + * Resource ARNs to add to the statement + * + * @default - no resources + */ + readonly resources: string[]; +} + +interface PolicyStatementNotResources extends PolicyStatementBase { + /** + * NotResource ARNs to add to the statement + * + * @default - no not-resources + */ + readonly notResources: string[]; +} + +export type PolicyStatementProps = (PolicyStatementActions | PolicyStatementNotActions) & (PolicyStatementResources | PolicyStatementNotResources); + function noUndef(x: any): any { const ret: any = {}; for (const [key, value] of Object.entries(x)) { diff --git a/packages/@aws-cdk/aws-iam/test/managed-policy.test.ts b/packages/@aws-cdk/aws-iam/test/managed-policy.test.ts index 1e1891eaa58af..ca98fe2b344e2 100644 --- a/packages/@aws-cdk/aws-iam/test/managed-policy.test.ts +++ b/packages/@aws-cdk/aws-iam/test/managed-policy.test.ts @@ -536,6 +536,7 @@ describe('managed policy', () => { const mp = new ManagedPolicy(stack, 'Policy'); mp.addStatements(new PolicyStatement({ actions: ['a:abc'], + resources: ['*'], })); expect(stack.resolve(mp.managedPolicyName)).toEqual({ @@ -553,6 +554,7 @@ describe('managed policy', () => { }); mp.addStatements(new PolicyStatement({ actions: ['a:abc'], + resources: ['*'], })); const stack2 = new cdk.Stack(app, 'Stack2', { env: { account: '5678', region: 'us-east-1' }}); diff --git a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts index 2ea6c9848be0b..7dbbdf0583e73 100644 --- a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts +++ b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts @@ -75,6 +75,7 @@ describe('IAM policy document', () => { new PolicyStatement({ actions: ['abc:def'], notActions: ['abc:def'], + resources: ['*'], }); }).toThrow(/Cannot add 'NotActions' to policy statement if 'Actions' have been added/); }); @@ -83,6 +84,7 @@ describe('IAM policy document', () => { expect(() => { new PolicyStatement({ actions: ['service:action', '*', 'service:acti*', 'in:val:id'], + resources: ['*'], }); }).toThrow(/Action 'in:val:id' is invalid/); }); @@ -90,7 +92,9 @@ describe('IAM policy document', () => { test('Throws with invalid not actions', () => { expect(() => { new PolicyStatement({ + actions: ['abc:def'], notActions: ['service:action', '*', 'service:acti*', 'in:val:id'], + resources: ['*'], }); }).toThrow(/Action 'in:val:id' is invalid/); }); @@ -98,8 +102,9 @@ describe('IAM policy document', () => { test('Cannot combine Resources and NotResources', () => { expect(() => { new PolicyStatement({ + actions: ['abc:def'], resources: ['abc'], - notResources: ['def'], + notResources: ['abcd'], }); }).toThrow(/Cannot add 'NotResources' to policy statement if 'Resources' have been added/); }); @@ -107,6 +112,8 @@ describe('IAM policy document', () => { test('Cannot add NotPrincipals when Principals exist', () => { const stmt = new PolicyStatement({ principals: [new CanonicalUserPrincipal('abc')], + actions: ['abc:def'], + resources: ['*'], }); expect(() => { stmt.addNotPrincipals(new CanonicalUserPrincipal('def')); @@ -116,6 +123,8 @@ describe('IAM policy document', () => { test('Cannot add Principals when NotPrincipals exist', () => { const stmt = new PolicyStatement({ notPrincipals: [new CanonicalUserPrincipal('abc')], + actions: ['abc:def'], + resources: ['*'], }); expect(() => { stmt.addPrincipals(new CanonicalUserPrincipal('def')); @@ -215,7 +224,7 @@ describe('IAM policy document', () => { }); test('true if there is one resource', () => { - expect(new PolicyStatement({ resources: ['one-resource'] }).hasResource).toEqual(true); + expect(new PolicyStatement({ resources: ['one-resource'], actions: ['abc:def'] }).hasResource).toEqual(true); }); test('true for multiple resources', () => { @@ -247,9 +256,9 @@ describe('IAM policy document', () => { test('statementCount returns the number of statement in the policy document', () => { const p = new PolicyDocument(); expect(p.statementCount).toEqual(0); - p.addStatements(new PolicyStatement({ actions: ['service:action1'] })); + p.addStatements(new PolicyStatement({ actions: ['service:action1'], resources: ['*'] })); expect(p.statementCount).toEqual(1); - p.addStatements(new PolicyStatement({ actions: ['service:action2'] })); + p.addStatements(new PolicyStatement({ actions: ['service:action2'], resources: ['*'] })); expect(p.statementCount).toEqual(2); }); @@ -258,11 +267,11 @@ describe('IAM policy document', () => { const stack = new Stack(); const p = new PolicyDocument(); - p.addStatements(new PolicyStatement({ principals: [new Anyone()] })); + p.addStatements(new PolicyStatement({ principals: [new Anyone()], actions: ['abc:def'], resources: ['*'] })); expect(stack.resolve(p)).toEqual({ Statement: [ - { Effect: 'Allow', Principal: '*' }, + { Action: 'abc:def', Effect: 'Allow', Principal: '*', Resource: '*' }, ], Version: '2012-10-17', }); @@ -272,11 +281,11 @@ describe('IAM policy document', () => { const stack = new Stack(); const p = new PolicyDocument(); - p.addStatements(new PolicyStatement({ principals: [new AnyPrincipal()] })); + p.addStatements(new PolicyStatement({ principals: [new AnyPrincipal()], actions: ['abc:def'], resources: ['*']})); expect(stack.resolve(p)).toEqual({ Statement: [ - { Effect: 'Allow', Principal: '*' }, + { Action: 'abc:def', Effect: 'Allow', Principal: '*', Resource: '*' }, ], Version: '2012-10-17', }); diff --git a/packages/@aws-cdk/aws-iam/test/principals.test.ts b/packages/@aws-cdk/aws-iam/test/principals.test.ts index b1d7bc0d169f1..186c6c5b2985d 100644 --- a/packages/@aws-cdk/aws-iam/test/principals.test.ts +++ b/packages/@aws-cdk/aws-iam/test/principals.test.ts @@ -72,6 +72,8 @@ test('cannot have multiple principals with different conditions in the same stat }, }), ], + actions: ['abc:def'], + resources: ['*'], })); }).toThrow(/All principals in a PolicyStatement must have the same Conditions/); }); @@ -85,6 +87,8 @@ test('can have multiple principals the same conditions in the same statement', ( new iam.ServicePrincipal('myService.amazon.com'), new iam.ServicePrincipal('yourservice.amazon.com'), ], + actions: ['abc:def'], + resources: ['*'], })); user.addToPolicy(new iam.PolicyStatement({ @@ -100,9 +104,10 @@ test('can have multiple principals the same conditions in the same statement', ( }, }), ], + actions: ['abc:def'], + resources: ['*'], })); }); - test('use Web Identity principal', () => { // GIVEN const stack = new Stack(); From ae838a18745566a1855aec3507246895319d4ee4 Mon Sep 17 00:00:00 2001 From: sdamle Date: Sun, 10 May 2020 11:19:14 -0700 Subject: [PATCH 2/8] Fix PR linter error --- packages/@aws-cdk/aws-iam/README.md | 12 ++++++++++++ .../@aws-cdk/aws-iam/test/policy-document.test.ts | 3 +-- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/README.md b/packages/@aws-cdk/aws-iam/README.md index 1145fbe14f0f5..82d4146866fab 100644 --- a/packages/@aws-cdk/aws-iam/README.md +++ b/packages/@aws-cdk/aws-iam/README.md @@ -249,6 +249,18 @@ const newPolicyDocument = PolicyDocument.fromJson(policyDocument); ``` +### Policy Statement + +As Per the doc of [IAM policy grammar](https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf), the action and resource blocks are mandatory. Hence, the new policy stament using `PolicyStatementProps` can be created as: + +```ts +const policy = new Policy(stack, 'HelloPolicy', { policyName: 'Default' }); +policy.addStatements(new PolicyStatement({ + resources: ['*'], + actions: ['sqs:SendMessage'] +})); +``` + ### OpenID Connect Providers OIDC identity providers are entities in IAM that describe an external identity diff --git a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts index 7dbbdf0583e73..a2dd89caa9415 100644 --- a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts +++ b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts @@ -92,7 +92,6 @@ describe('IAM policy document', () => { test('Throws with invalid not actions', () => { expect(() => { new PolicyStatement({ - actions: ['abc:def'], notActions: ['service:action', '*', 'service:acti*', 'in:val:id'], resources: ['*'], }); @@ -104,7 +103,7 @@ describe('IAM policy document', () => { new PolicyStatement({ actions: ['abc:def'], resources: ['abc'], - notResources: ['abcd'], + notResources: ['abc'], }); }).toThrow(/Cannot add 'NotResources' to policy statement if 'Resources' have been added/); }); From e4470b2b53fe4b2222a96f1d6493e2450d850ed0 Mon Sep 17 00:00:00 2001 From: Shreyas Damle Date: Mon, 18 May 2020 18:46:13 -0700 Subject: [PATCH 3/8] Add runtime check to validate PolicyStatementProps --- packages/@aws-cdk/aws-iam/README.md | 2 +- .../@aws-cdk/aws-iam/lib/policy-statement.ts | 68 +++++++------------ .../aws-iam/test/policy-document.test.ts | 32 ++++++++- 3 files changed, 58 insertions(+), 44 deletions(-) diff --git a/packages/@aws-cdk/aws-iam/README.md b/packages/@aws-cdk/aws-iam/README.md index 82d4146866fab..43f6c1ed40ee7 100644 --- a/packages/@aws-cdk/aws-iam/README.md +++ b/packages/@aws-cdk/aws-iam/README.md @@ -251,7 +251,7 @@ const newPolicyDocument = PolicyDocument.fromJson(policyDocument); ### Policy Statement -As Per the doc of [IAM policy grammar](https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf), the action and resource blocks are mandatory. Hence, the new policy stament using `PolicyStatementProps` can be created as: +As per the doc of [IAM policy grammar](https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf), the action and resource blocks are mandatory. Hence, the new policy stament using `PolicyStatementProps` can be created as: ```ts const policy = new Policy(stack, 'HelloPolicy', { policyName: 'Default' }); diff --git a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts index df34dcdbd5ea9..d9a5a249dd9a3 100644 --- a/packages/@aws-cdk/aws-iam/lib/policy-statement.ts +++ b/packages/@aws-cdk/aws-iam/lib/policy-statement.ts @@ -33,8 +33,8 @@ export class PolicyStatement { resources: ensureArrayOrUndefined(obj.Resource), conditions: obj.Condition, effect: obj.Effect, - notActions: ensureArrayOrUndefined(obj.NotAction) ?? [], - notResources: ensureArrayOrUndefined(obj.NotResource) ?? [], + notActions: ensureArrayOrUndefined(obj.NotAction), + notResources: ensureArrayOrUndefined(obj.NotResource), principals: obj.Principal ? [ new JsonPrincipal(obj.Principal) ] : undefined, notPrincipals: obj.NotPrincipal ? [ new JsonPrincipal(obj.NotPrincipal) ] : undefined, }); @@ -58,7 +58,7 @@ export class PolicyStatement { private readonly condition: { [key: string]: any } = { }; private principalConditionsJson?: string; - constructor(props: PolicyStatementProps = {actions: [], resources: []}) { + constructor(props: PolicyStatementProps = {}) { // Validate actions for (const action of [...props.actions || [], ...props.notActions || []]) { if (!/^(\*|[a-zA-Z0-9-]+:[a-zA-Z0-9*]+)$/.test(action)) { @@ -78,6 +78,7 @@ export class PolicyStatement { if (props.conditions !== undefined) { this.addConditions(props.conditions); } + this.validateProps(props); } // @@ -408,6 +409,27 @@ export class PolicyStatement { } this.addConditions(conditions); } + + /** + * Validate PolicyStatementProps + * + * As per [IAM policy grammar](https://docs.aws.amazon.com/en_us/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf), + * the action and resource blocks are mandatory. + * + * @param props + */ + private validateProps(props: PolicyStatementProps) { + if (props.conditions || props.effect || props.notPrincipals || props.notResources || props.principals || props.resources || props.sid) { + if (!props.actions && !props.notActions) { + throw new Error('Action block is mandatory. Either `actions` or `notActions` prop must be specified'); + } + } + if (props.actions || props.conditions || props.effect || props.notActions || props.notPrincipals || props.principals || props.sid) { + if (!props.resources && !props.notResources) { + throw new Error('Resource block is mandatory. Either `resources` or `notResources` prop must be specified'); + } + } + } } /** @@ -462,7 +484,7 @@ export type Conditions = Record; /** * Interface for creating a policy statement */ -export interface PolicyStatementBase { +export interface PolicyStatementProps { /** * The Sid (statement ID) is an optional identifier that you provide for the * policy statement. You can assign a Sid value to each statement in a @@ -531,44 +553,6 @@ export interface PolicyStatementBase { readonly effect?: Effect; } -interface PolicyStatementActions extends PolicyStatementBase { - /** - * List of actions to add to the statement - * - * @default - no actions - */ - readonly actions: string[]; -} - -interface PolicyStatementNotActions extends PolicyStatementBase { - /** - * List of not actions to add to the statement - * - * @default - no not-actions - */ - readonly notActions: string[]; -} - -interface PolicyStatementResources extends PolicyStatementBase { - /** - * Resource ARNs to add to the statement - * - * @default - no resources - */ - readonly resources: string[]; -} - -interface PolicyStatementNotResources extends PolicyStatementBase { - /** - * NotResource ARNs to add to the statement - * - * @default - no not-resources - */ - readonly notResources: string[]; -} - -export type PolicyStatementProps = (PolicyStatementActions | PolicyStatementNotActions) & (PolicyStatementResources | PolicyStatementNotResources); - function noUndef(x: any): any { const ret: any = {}; for (const [key, value] of Object.entries(x)) { diff --git a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts index a2dd89caa9415..e86d3b816effd 100644 --- a/packages/@aws-cdk/aws-iam/test/policy-document.test.ts +++ b/packages/@aws-cdk/aws-iam/test/policy-document.test.ts @@ -98,12 +98,29 @@ describe('IAM policy document', () => { }).toThrow(/Action 'in:val:id' is invalid/); }); + test('Throws with actions and notActions both undefined', () => { + expect(() => { + new PolicyStatement({ + principals: [new CanonicalUserPrincipal('abc')], + resources: ['*'], + }); + }).toThrow(/Action block is mandatory. Either `actions` or `notActions` prop must be specified/); + }); + + test('Throws with resources and notResources both undefined', () => { + expect(() => { + new PolicyStatement({ + actions: ['abc:def'], + }); + }).toThrow(/Resource block is mandatory. Either `resources` or `notResources` prop must be specified/); + }); + test('Cannot combine Resources and NotResources', () => { expect(() => { new PolicyStatement({ actions: ['abc:def'], resources: ['abc'], - notResources: ['abc'], + notResources: ['def'], }); }).toThrow(/Cannot add 'NotResources' to policy statement if 'Resources' have been added/); }); @@ -130,6 +147,19 @@ describe('IAM policy document', () => { }).toThrow(/Cannot add 'Principals' to policy statement if 'NotPrincipals' have been added/); }); + test('combine NotActions and NotResources', () => { + const stack = new Stack(); + const statement = new PolicyStatement({ + notActions: ['abc:def'], + notResources: ['def'], + }); + expect(stack.resolve(statement.toStatementJson())).toEqual({ + Effect: 'Allow', + NotAction: 'abc:def', + NotResource: 'def', + }); + }); + test('Permission allows specifying multiple actions upon construction', () => { const stack = new Stack(); const perm = new PolicyStatement(); From 507f4939c528a572a6b2c80d3e4fdb7985d36fc2 Mon Sep 17 00:00:00 2001 From: Shreyas Damle Date: Mon, 18 May 2020 19:39:04 -0700 Subject: [PATCH 4/8] Fix policy statement in aws-logs for 'add policy to destination' test --- packages/@aws-cdk/aws-logs/test/test.destination.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-logs/test/test.destination.ts b/packages/@aws-cdk/aws-logs/test/test.destination.ts index a577acac5d630..36ef0bfe7872e 100644 --- a/packages/@aws-cdk/aws-logs/test/test.destination.ts +++ b/packages/@aws-cdk/aws-logs/test/test.destination.ts @@ -45,6 +45,7 @@ export = { // WHEN dest.addToPolicy(new iam.PolicyStatement({ actions: ['logs:TalkToMe'], + resources: ['*'], })); // THEN From 8befbe97d638b2e353de2edd49ddaf1cd6feb073 Mon Sep 17 00:00:00 2001 From: Shreyas Damle Date: Mon, 18 May 2020 20:19:26 -0700 Subject: [PATCH 5/8] Fix policy statement in aws-sns for unit test --- packages/@aws-cdk/aws-sns/test/test.sns.ts | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/packages/@aws-cdk/aws-sns/test/test.sns.ts b/packages/@aws-cdk/aws-sns/test/test.sns.ts index ad86fa6aaf2c7..3cf35ea0a2bb8 100644 --- a/packages/@aws-cdk/aws-sns/test/test.sns.ts +++ b/packages/@aws-cdk/aws-sns/test/test.sns.ts @@ -165,8 +165,8 @@ export = { const topic = new sns.Topic(stack, 'MyTopic'); - topic.addToResourcePolicy(new iam.PolicyStatement({ actions: ['service:statement0'] })); - topic.addToResourcePolicy(new iam.PolicyStatement({ actions: ['service:statement1'] })); + topic.addToResourcePolicy(new iam.PolicyStatement({ actions: ['service:statement0'], resources: ['*'] })); + topic.addToResourcePolicy(new iam.PolicyStatement({ actions: ['service:statement1'], resources: ['*'] })); expect(stack).toMatch({ 'Resources': { @@ -181,11 +181,13 @@ export = { { 'Action': 'service:statement0', 'Effect': 'Allow', + 'Resource': '*', 'Sid': '0', }, { 'Action': 'service:statement1', 'Effect': 'Allow', + 'Resource': '*', 'Sid': '1', }, ], From 8ba9a3ba96ef6a0c9a125ded64f2ceca2d660c87 Mon Sep 17 00:00:00 2001 From: Shreyas Damle Date: Mon, 18 May 2020 21:07:12 -0700 Subject: [PATCH 6/8] Fix policy statement in aws-lambda unit test --- packages/@aws-cdk/aws-lambda/test/test.lambda.ts | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts index 6a697833e4700..c02fd5aef771a 100644 --- a/packages/@aws-cdk/aws-lambda/test/test.lambda.ts +++ b/packages/@aws-cdk/aws-lambda/test/test.lambda.ts @@ -237,7 +237,7 @@ export = { const role = new iam.Role(stack, 'SomeRole', { assumedBy: new iam.ServicePrincipal('lambda.amazonaws.com'), }); - role.addToPolicy(new iam.PolicyStatement({ actions: ['confirm:itsthesame'] })); + role.addToPolicy(new iam.PolicyStatement({ actions: ['confirm:itsthesame'], resources: ['*'] })); // WHEN const fn = new lambda.Function(stack, 'Function', { @@ -246,20 +246,20 @@ export = { handler: 'index.test', role, initialPolicy: [ - new iam.PolicyStatement({ actions: ['inline:inline'] }), + new iam.PolicyStatement({ actions: ['inline:inline'], resources: ['*'] }), ], }); - fn.addToRolePolicy(new iam.PolicyStatement({ actions: ['explicit:explicit'] })); + fn.addToRolePolicy(new iam.PolicyStatement({ actions: ['explicit:explicit'], resources: ['*'] })); // THEN expect(stack).to(haveResource('AWS::IAM::Policy', { 'PolicyDocument': { 'Version': '2012-10-17', 'Statement': [ - { 'Action': 'confirm:itsthesame', 'Effect': 'Allow' }, - { 'Action': 'inline:inline', 'Effect': 'Allow' }, - { 'Action': 'explicit:explicit', 'Effect': 'Allow' }, + { 'Action': 'confirm:itsthesame', 'Effect': 'Allow', 'Resource': '*' }, + { 'Action': 'inline:inline', 'Effect': 'Allow', 'Resource': '*' }, + { 'Action': 'explicit:explicit', 'Effect': 'Allow', 'Resource': '*' }, ], }, })); From d0081f9cec6f883632b09e0ae37453c0a4dbaf2d Mon Sep 17 00:00:00 2001 From: Shreyas Damle Date: Mon, 18 May 2020 21:44:48 -0700 Subject: [PATCH 7/8] Fix policy statement in CF web-distributions --- packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts index ab5eda0eb0834..40e14eb7dd8d8 100644 --- a/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts +++ b/packages/@aws-cdk/aws-cloudfront/lib/web_distribution.ts @@ -925,6 +925,7 @@ export class CloudFrontWebDistribution extends cdk.Construct implements IDistrib if (a.lambdaFunction.role && a.lambdaFunction.role instanceof iam.Role && a.lambdaFunction.role.assumeRolePolicy) { a.lambdaFunction.role.assumeRolePolicy.addStatements(new iam.PolicyStatement({ actions: [ 'sts:AssumeRole' ], + resources: ['*'], principals: [ new iam.ServicePrincipal('edgelambda.amazonaws.com') ], })); } From 4e743ed8984e9767f6f8528c01dcaf60941e0610 Mon Sep 17 00:00:00 2001 From: Shreyas Damle Date: Tue, 19 May 2020 13:49:12 -0700 Subject: [PATCH 8/8] Fix policy statement in CF tests --- packages/@aws-cdk/aws-cloudfront/test/test.basic.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/@aws-cdk/aws-cloudfront/test/test.basic.ts b/packages/@aws-cdk/aws-cloudfront/test/test.basic.ts index 39366da64117d..d2c0c3ec09ad8 100644 --- a/packages/@aws-cdk/aws-cloudfront/test/test.basic.ts +++ b/packages/@aws-cdk/aws-cloudfront/test/test.basic.ts @@ -840,6 +840,7 @@ export = { 'Principal': { 'Service': 'edgelambda.amazonaws.com', }, + 'Resource': '*', }, ], 'Version': '2012-10-17',