IAM Permission Boundary does not prevent CDK escalating privilege access?

1

I created an IAM user and attached a Permission Boundary Policy to it . The permission boundary does not work when I deploy a CDK stack. My terminal setup with access_key_id, and secrete_access_key of the IAM user (attached permission boundary).

cdk deploy iamUserWitthAdminAccess 

Here is the stack

new aws_iam.User(
    this,
    "IamUserWithAdminAccess",
    {
       managedPolicies: [ aws_iam.ManagedPolicy.fromAwsManagePolicyName("AdmininstratorAccess")]
    }
)

Then an IAM user with AdminAccess was able to created. Can any one explain? and what is the best practice to prevent CDK to create Admin Users?

1 Answer
1
Accepted Answer

Attaching a permission boundary to the IAM user whose credentials are used for cdk deploy will not restrict the deployment in the way you want. In fact, cdk deploy essentially just creates a CloudFormation stack and calls the CloudFormation service which performs the actual resources creation. CDK passes a role to the CloudFormation service, this role scopes the deployment permissions. By default, this is an unrestricted AdministratorAccess role, so it is the role you need to apply permissions boundary to.

The best practice is to customize your CDK bootstrapping.

You can edit the template itself and apply the permissions boundaries to the roles defined in the bootstrap template. After that, you bootstrap your CDK environment with your customized template:

cdk bootstrap --show-template > custom-template.yaml
cdk bootstrap --template custom-template.yaml

Alternatively, just specify the restricted policies for the deployment role while bootstrapping:

cdk bootstrap --cloudformation-execution-policies <list-of-policy-arn>

You can find an example of a customized CDK bootstrap template in the AWS BootstrapKit example repository on GitHub. Also, take a look on this GitHub issue in the CDK repository.

profile pictureAWS
answered 2 years ago
  • Thank you! I understand much clearly now. When it comes to security, it is always more complicated than I thought

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions