- Newest
- Most votes
- Most comments
Attaching a permission boundary to the IAM user whose credentials are used for cdk deploy
will not restrict the deployment in the way you want. In fact, cdk deploy
essentially just creates a CloudFormation stack and calls the CloudFormation service which performs the actual resources creation. CDK passes a role to the CloudFormation service, this role scopes the deployment permissions. By default, this is an unrestricted AdministratorAccess
role, so it is the role you need to apply permissions boundary to.
The best practice is to customize your CDK bootstrapping.
You can edit the template itself and apply the permissions boundaries to the roles defined in the bootstrap template. After that, you bootstrap your CDK environment with your customized template:
cdk bootstrap --show-template > custom-template.yaml cdk bootstrap --template custom-template.yaml
Alternatively, just specify the restricted policies for the deployment role while bootstrapping:
cdk bootstrap --cloudformation-execution-policies <list-of-policy-arn>
You can find an example of a customized CDK bootstrap template in the AWS BootstrapKit example repository on GitHub. Also, take a look on this GitHub issue in the CDK repository.
Relevant content
- Accepted Answerasked 3 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Thank you! I understand much clearly now. When it comes to security, it is always more complicated than I thought