Add permission boundaries to the stack

524 Views Asked by Yuriy Galanter At 15 July 2022 at 20:28

When I deploy a CDK stack - it creates several roles, both explicitly e.g. via iam.Role construct, and implicitly e.g. when roles are created internally by Level 2 constructs.

Is there a way to attach an existing permission boundary to all the roles being created by the stack - both explicit and implicit?

Original Q&A

There are 1 best solutions below

miensol On 17 July 2022 at 07:31 BEST ANSWER

Yes, through aspects.

You can add the following in bin/app.ts (the file might be named differently):

class ConfigurePermissionBoundary implements IAspect {
  visit(node: IConstruct): void {
    if (node instanceof CfnRole) {
      const stack1 = Stack.of(node);
      let policy = stack1.node.tryFindChild('GlobalPermissionBoundaryPolicy') as ManagedPolicy | undefined

      if (!policy) {
        policy = new ManagedPolicy(stack1, 'GlobalPermissionBoundaryPolicy', {
          statements: [new PolicyStatement({
            effect: Effect.DENY,
            actions: ['sts:*'],
            resources: ['*']
          })]
        })
      }

      node.permissionsBoundary = policy.managedPolicyArn
    }
  }
}

Aspects.of(app).add(new ConfigurePermissionBoundary())

Please note that we're adding a managed policy GlobalPermissionBoundaryPolicy that defines the permission boundary once. Also, the aspect handles both new iam.Role() as well as any new CfnRole() defined by your or library code.

Add permission boundaries to the stack

There are 1 best solutions below

Related Questions in AWS-CLOUDFORMATION

Related Questions in AMAZON-IAM

Related Questions in AWS-CDK

Related Questions in AWS-ROLES

Related Questions in AWS-PERMISSIONS

Trending Questions

Popular # Hahtags

Popular Questions