feat(codedeploy): change LambdaDeploymentGroup default managed policy to AWSCodeDeployRoleForLambdaLimited (#10276)

vrr-21 · web-flow · commit 13e7bde5f8f5 · 2020-09-21T22:17:39.000Z
The managed policy `AWSCodeDeployRoleForLambda` used for Lambda deployments has broad permissions, providing publish access to all SNS topics within the customer's accounts.
This change replaces that with a new policy `AWSCodeDeployRoleForLambdaLimited` which removes those permissions.
This should be safe, as the SNS publish permission is only ever used when setting up `triggers`,
and we don't support that feature in `LambdaDeploymentGroup`.

BREAKING CHANGE: the default policy for `LambdaDeploymentGroup` no longer contains `sns:Publish` on `*` permissions

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts b/packages/@aws-cdk/aws-codedeploy/lib/lambda/deployment-group.ts
@@ -158,7 +158,7 @@ export class LambdaDeploymentGroup extends cdk.Resource implements ILambdaDeploy
       assumedBy: new iam.ServicePrincipal('codedeploy.amazonaws.com'),
     });
 
-    this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCodeDeployRoleForLambda'));
+    this.role.addManagedPolicy(iam.ManagedPolicy.fromAwsManagedPolicyName('service-role/AWSCodeDeployRoleForLambdaLimited'));
     this.deploymentConfig = props.deploymentConfig || LambdaDeploymentConfig.CANARY_10PERCENT_5MINUTES;
 
     const resource = new CfnDeploymentGroup(this, 'Resource', {
diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json b/packages/@aws-cdk/aws-codedeploy/test/lambda/integ.deployment-group.expected.json
@@ -468,7 +468,7 @@
                 {
                   "Ref": "AWS::Partition"
                 },
-                ":iam::aws:policy/service-role/AWSCodeDeployRoleForLambda"
+                ":iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited"
               ]
             ]
           }
diff --git a/packages/@aws-cdk/aws-codedeploy/test/lambda/test.deployment-group.ts b/packages/@aws-cdk/aws-codedeploy/test/lambda/test.deployment-group.ts
@@ -101,7 +101,7 @@ export = {
               [
                 'arn:',
                 { Ref: 'AWS::Partition' },
-                ':iam::aws:policy/service-role/AWSCodeDeployRoleForLambda',
+                ':iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
               ],
             ],
           },
@@ -160,7 +160,7 @@ export = {
               [
                 'arn:',
                 { Ref: 'AWS::Partition' },
-                ':iam::aws:policy/service-role/AWSCodeDeployRoleForLambda',
+                ':iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited',
               ],
             ],
           },

Original file line number	Diff line number	Diff line change
`@@ -468,7 +468,7 @@`
`468`	`468`	`{`
`469`	`469`	`"Ref": "AWS::Partition"`
`470`	`470`	`},`
`471`		`- ":iam::aws:policy/service-role/AWSCodeDeployRoleForLambda"`
	`471`	`+ ":iam::aws:policy/service-role/AWSCodeDeployRoleForLambdaLimited"`
`472`	`472`	`]`
`473`	`473`	`]`
`474`	`474`	`}`