Skip to content

Fix: Scope CDK execution policy IAM permissions to prevent privilege escalation (#1614) #1864

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
petrkalos merged 1 commit into from
Oct 13, 2025
Merged

Fix: Scope CDK execution policy IAM permissions to prevent privilege escalation (#1614) #1864

petrkalos merged 1 commit into from
Oct 13, 2025

Conversation

@arjunp99
Copy link
Contributor

@arjunp99 arjunp99 commented Sep 26, 2025

Summary

Enhanced the data.all CDK execution policy to prevent privilege escalation attacks by scoping IAM permissions to specific resource patterns instead of using wildcard access.

Problem

The original policy allowed access to any role or policy in the account using wildcard resources (arn:aws:iam::account:policy/* and arn:aws:iam::account:role/*). This meant that anyone with CloudFormation deployment access could potentially create roles like AttackerAdminRole and attach powerful policies such as AdministratorAccess to escalate privileges.

Solution

IAM permissions are now restricted to specific resource prefixes:

  • Environment-specific resources (${EnvironmentResourcePrefix}*)
  • CDK resources (cdk-*)
  • data.all application resources (dataall-*)

Impact

  • Blocks malicious CloudFormation templates from creating unauthorized administrative resources
  • Preserves all existing data.all functionality (environment creation, dataset operations, service deployments)
  • Implements least privilege access principles
  • Provides defense-in-depth protection against infrastructure-based privilege escalation
  • Zero operational impact

Testing

  • Verified existing data.all operations continue to work
  • Confirmed restricted IAM permissions block unauthorized resource creation

Fixes #1614

@arjunp99
Fix: Scope CDK execution policy IAM permissions to prevent privilege …
1f0c5f2 
…escalation

- Restrict IAM permissions to specific resource prefixes (*, cdk-*, dataall-*)
- Remove wildcard access that could allow creation of arbitrary admin roles
- Implement least privilege access principles while maintaining full functionality
- Provides defense-in-depth protection against infrastructure-based attacks

Fixes data-dot-all#1614
@petrkalos petrkalos self-requested a review October 2, 2025 15:12
@petrkalos petrkalos merged commit 07fbd8a into data-dot-all:main Oct 13, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@petrkalos petrkalos petrkalos approved these changes

@dlpzx dlpzx dlpzx approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security Concern] cdkExec Role and Environment roles contains policies which pose broader attack radius

3 participants

@arjunp99 @petrkalos @dlpzx