Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is FullAccess Role secure? #6671

Closed
fade2black opened this issue Feb 9, 2024 · 3 comments
Closed

Is FullAccess Role secure? #6671

fade2black opened this issue Feb 9, 2024 · 3 comments
Labels
area/pipeline blocked/close-if-inactive Blocked for >14 days with no response, will be closed if still inactive after 7 days type/question

Comments

@fade2black
Copy link

I generate a pipeline using sam CLI which creates the following role:

PipelineStackCloudFormationExecutionRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          Action: "sts:AssumeRole"
          Effect: Allow
          Principal:
            Service: cloudformation.amazonaws.com
      Policies:
        - PolicyName: GrantCloudFormationFullAccess
          PolicyDocument:
            Version: 2012-10-17
            Statement:
              - Effect: Allow
                Action: '*'
                Resource: '*'

and used (assumed) like this

  - Name: CreateChangeSet
     ActionTypeId:
        Category: Deploy
        Owner: AWS
        Provider: CloudFormation
        Version: "1"
      Configuration:
         ActionMode: CHANGE_SET_REPLACE 
         RoleArn: !GetAtt PipelineStackCloudFormationExecutionRole.Arn
         StackName: !Ref AWS::StackName
         ChangeSetName: !Sub ${AWS::StackName}-ChangeSet
         TemplatePath: SourceCodeAsZip::codepipeline.yml
         Capabilities: CAPABILITY_NAMED_IAM
      InputArtifacts:
          - Name: SourceCodeAsZip
      RunOrder: 1

Is it secure to deploy and use such pipeline?
@fade2black fade2black added the stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. label Feb 9, 2024
@hawflau hawflau added type/question area/pipeline and removed stage/needs-triage Automatically applied to new issues and PRs, indicating they haven't been looked at. labels Feb 9, 2024
@hawflau
Copy link
Contributor

hawflau commented Feb 12, 2024

Hey @fade2black thanks for raising the issue.

The role is created for the pipeline to deploy resources of your application through CloudFormation. As the pipeline does not have any knowledge about your application (e.g. what resources will be created/updated), the role gives CloudFormation full access. In other words, it ensures CloudFormation to be able to deploy any change from your application template.

The risk thus lies in the application template - if an attacker adds a malicious resource in your application template (e.g. an IAM Role with admin access), the piepline will deploy it. Mitigation of this risk is to make sure only authorized persons can commit to your application template, and have a thorough review process before any change can be merged.

Alternatively, you can create your own CloudFormation Execution Role with limited scope for your application and supply that role when you create your pipeline.

Please let me know if you have any further question.

@hawflau hawflau added the blocked/close-if-inactive Blocked for >14 days with no response, will be closed if still inactive after 7 days label Feb 12, 2024
@fade2black
Copy link
Author

@hawflau Clear now. Thank you for reply.

@hawflau hawflau closed this as completed Feb 12, 2024
@github-actions GitHub Actions
Copy link
Contributor

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/pipeline blocked/close-if-inactive Blocked for >14 days with no response, will be closed if still inactive after 7 days type/question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fade2black @hawflau