(aws-cdk): (Disallow CDK Bootstrap to default AdministratorAccess for cfn-exec-role)

[smislam]

Describe the feature

By default, CDK Bootstrap uses AdministratorAccess for cfn-exec-role when we run the cdk bootstrap command. This allows CDK to have higher privileges that the user is authorized to perform and poses a security concern. Feature request is to make '--cloudformation-execution-policies' parameter mandatory.

Use Case

In my account, the account administrator disabled using AdministratorAccess. The account also has Config rules to remove AdministratorAccess access if found. We also have a security policy that removes the CDK S3 bucket first day of a month. Since we require re-bootstrapping the account each month, it would be ideal to make cdk bootstrap '--cloudformation-execution-policies' parameter mandatory. That way, it will force us to pass the right cfn-exec-role than to have CDK default to AdministratorAccess role.

Proposed Solution

Make '--cloudformation-execution-policies' parameter mandatory

Other Information

No response

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.94.0 (build 987c329)

Environment details (OS name and version, etc.)

AWS Workspace (Microsoft Windows Server 2016 DataCenter 10.0.14393 Build 14393)

[indrora]

I can't give any specifics due to your situation, but the following articles may be of interest to you:

• https://aws.amazon.com/blogs/devops/secure-cdk-deployments-with-iam-permission-boundaries/
• https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.DefaultStackSynthesizer.html#cloudformationexecutionrolearn

Do keep in mind the AWS Shared Responsibility Model: https://aws.amazon.com/compliance/shared-responsibility-model/

[smislam]

Hi @indrora, Thank you for sending the permission boundary information. We are actually enforcing a few things to securing the accounts that also include permission boundaries:

1. Have IAM role with restricted permissions for users
2. Have AWS Config Rule to flag and remove AdministratorAccess role
3. Implement Permission Boundary to restrict users to allowed policies --> We haven't implemented this yet

As you already called out, the Permission Boundary will restrict users and cdk to only the permission they should have. However, we still need to remove the default AdministratorAccess role when bootstrapped without the --cloudformation-execution-policies' parameter. Our Security and Policy scanning tool finds the AdministratorAccess role and flagging the accounts status as violation. The Config Rules then removes that entry making CDK unusable.

aws-cdk/packages/aws-cdk/lib/api/bootstrap/bootstrap-environment.ts

Line 102 in 5046a9b

if (trustedAccounts.length === 0 && cloudFormationExecutionPolicies.length === 0) {