Skip to content

feat(stepfunctions-tasks): scope down batch:SubmitJob permissions to specific job definition#37312

Open
syukawa-gh wants to merge 3 commits intoaws:mainfrom
syukawa-gh:feat/sfn-batch-submit-job-permissions-clean
Open

feat(stepfunctions-tasks): scope down batch:SubmitJob permissions to specific job definition#37312
syukawa-gh wants to merge 3 commits intoaws:mainfrom
syukawa-gh:feat/sfn-batch-submit-job-permissions-clean

Conversation

@syukawa-gh
Copy link
Copy Markdown
Contributor

@syukawa-gh syukawa-gh commented Mar 23, 2026

Previously, BatchSubmitJob granted batch:SubmitJob on all job definitions (job-definition/*). Now the permission is scoped to the specific job definition ARN with a wildcard revision suffix (job-definition/MyJobDef:*), following least privilege principles.

When the job definition ARN is a dynamic expression (JsonPath/Jsonata), it falls back to the wildcard resource.

Closes #37214

@syukawa-dev
feat(stepfunctions-tasks): scope down batch:SubmitJob permissions to …
2e7d786 
…specific job definition

Previously, SubmitBatchJob granted batch:SubmitJob on all job
definitions (job-definition/*). Now the permission is scoped to the
specific job definition ARN with a wildcard revision suffix, following
least privilege principles.

When the job definition ARN is a dynamic expression (JsonPath/Jsonata),
it falls back to the wildcard resource.

Closes aws#37214
@github-actions github-actions bot added beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 labels Mar 23, 2026
@aws-cdk-automation aws-cdk-automation requested a review from a team March 23, 2026 03:31
aws-cdk-automation
aws-cdk-automation previously requested changes Mar 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@aws-cdk-automation aws-cdk-automation added the pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. label Mar 23, 2026
@pahud pahud mentioned this pull request Mar 23, 2026
Open
@syukawa-gh
Copy link
Copy Markdown
Contributor Author

syukawa-gh commented Mar 23, 2026

Exemption Request: Integration test snapshot cannot be generated locally because the permission scoping change modifies internal IAM policy generation. Unit test and README have been added. The snapshot will be generated by CI.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label Mar 23, 2026
@aws-cdk-automation aws-cdk-automation dismissed their stale review March 24, 2026 02:24

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

beginning-contributor [Pilot] contributed between 0-2 PRs to the CDK effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p1 pr/needs-further-review PR requires additional review from our team specialists due to the scope or complexity of changes. pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

(aws-stepfunctions-tasks): Tighter permissions in SubmitBatchJob

3 participants

@syukawa-gh @aws-cdk-automation @syukawa-dev