Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security-restricted environments #5

Closed
1 of 10 tasks
eladb opened this issue Dec 8, 2019 · 2 comments
Closed
1 of 10 tasks

Security-restricted environments #5

eladb opened this issue Dec 8, 2019 · 2 comments
Labels
devex Developer Experience status/done Implementation complete

Comments

@eladb
Copy link
Contributor

eladb commented Dec 8, 2019
edited
Loading

PR Champion
#

Description

  • Permission Boundaries
  • Bootstrapping Privileges
  • Enforcement of policy during synth (aspects?), during deployment (CFN hooks?) and at runtime (AWS Config?)

Progress

  • Tracking Issue Created
  • RFC PR Created
  • Core Team Member Assigned
  • Initial Approval / Final Comment Period
  • Ready For Implementation
    • implementation issue 1
  • Resolved
@eladb eladb added the devex Developer Experience label Dec 8, 2019
@MrArnoldPalmer MrArnoldPalmer added the status/proposed Newly proposed RFC label Jan 4, 2020
@richardhboyd
Copy link

Slightly related to Permissions Boundaries, but I'd also like to see Resource Boundaries. CDK is in a great position to enforce "no EC2 resources may be created" or "no IAM resources may be imported" to accommodate some highly regulated environments.

@rix0rrr rix0rrr mentioned this issue Feb 1, 2021
Merged
mergify bot pushed a commit to aws/aws-cdk that referenced this issue Feb 1, 2021
@rix0rrr
feat(iam): Permissions Boundaries (#12777)
415eb86 
Allow configuring Permissions Boundaries for an entire subtree using
Aspects, add a sample policy which can be used to reduce future
misconfiguration risk for untrusted CodeBuild projects as an example.

Addresses one part of aws/aws-cdk-rfcs#5.

Fixes #3242.

ALSO IN THIS COMMIT:

Fix a bug in the `assert` library, where `haveResource()` would *never* match
any resource that didn't have a `Properties` block (even if we tested for no property
in particular, or the absence of properties). This fix caused two ECS tests to fail,
which were asserting the wrong thing anyway (both were asserting `notTo(haveResource(...))`
where they actually meant to assert `to(haveResource())`.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
NovakGu pushed a commit to NovakGu/aws-cdk that referenced this issue Feb 18, 2021
@rix0rrr @NovakGu
feat(iam): Permissions Boundaries (aws#12777)
e53f1cf 
Allow configuring Permissions Boundaries for an entire subtree using
Aspects, add a sample policy which can be used to reduce future
misconfiguration risk for untrusted CodeBuild projects as an example.

Addresses one part of aws/aws-cdk-rfcs#5.

Fixes aws#3242.

ALSO IN THIS COMMIT:

Fix a bug in the `assert` library, where `haveResource()` would *never* match
any resource that didn't have a `Properties` block (even if we tested for no property
in particular, or the absence of properties). This fix caused two ECS tests to fail,
which were asserting the wrong thing anyway (both were asserting `notTo(haveResource(...))`
where they actually meant to assert `to(haveResource())`.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@mrgrain mrgrain added status/done Implementation complete and removed status/proposed Newly proposed RFC labels Oct 13, 2023
@mrgrain
Copy link
Contributor

mrgrain commented Oct 13, 2023

All supported now:
https://aws.amazon.com/about-aws/whats-new/2023/04/aws-cloud-development-kit-cdk-policies-validations/
https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/

@mrgrain mrgrain closed this as completed Oct 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
devex Developer Experience status/done Implementation complete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@mrgrain @eladb @MrArnoldPalmer @richardhboyd