(aws-cdk): (Disallow CDK Bootstrap to default AdministratorAccess for cfn-exec-role) #27097
Labels
feature-request
A feature should be added or improved.
p2
package/tools
Related to AWS CDK Tools or CLI
Describe the feature
By default, CDK Bootstrap uses AdministratorAccess for cfn-exec-role when we run the
cdk bootstrap
command. This allows CDK to have higher privileges that the user is authorized to perform and poses a security concern. Feature request is to make '--cloudformation-execution-policies' parameter mandatory.Use Case
In my account, the account administrator disabled using AdministratorAccess. The account also has Config rules to remove AdministratorAccess access if found. We also have a security policy that removes the CDK S3 bucket first day of a month. Since we require re-bootstrapping the account each month, it would be ideal to make cdk bootstrap '--cloudformation-execution-policies' parameter mandatory. That way, it will force us to pass the right cfn-exec-role than to have CDK default to AdministratorAccess role.
Proposed Solution
Make '--cloudformation-execution-policies' parameter mandatory
Other Information
No response
Acknowledgements
CDK version used
2.94.0 (build 987c329)
Environment details (OS name and version, etc.)
AWS Workspace (Microsoft Windows Server 2016 DataCenter 10.0.14393 Build 14393)
The text was updated successfully, but these errors were encountered: