From e155389db7a7c17387cf39db99c326518cf1631c Mon Sep 17 00:00:00 2001 From: Samson Keung Date: Mon, 20 Jan 2025 11:13:29 -0800 Subject: [PATCH] chore(scheduler-alpha-targets): raise awareness for default policy risk (#33003) ### Issue # (if applicable) N/A. ### Reason for this change Raise awareness on the `*` used for resources in the default policy in the `Universal` target class. ### Description of changes README updates and added a new warning. ### Describe any new or updated permissions being added None ### Description of how you validated changes Unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit fa2327d41da743ad0be1f7742dfa9782ecc62464) --- .../@aws-cdk/aws-scheduler-targets-alpha/README.md | 11 +++++++---- .../aws-scheduler-targets-alpha/lib/universal.ts | 4 +++- .../test/universal.test.ts | 7 ++++++- 3 files changed, 16 insertions(+), 6 deletions(-) diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md b/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md index 81858cd76e76f..1758f6e2fb87b 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md @@ -316,7 +316,7 @@ new Schedule(this, 'Schedule', { ## Invoke a wider set of AWS API -Use the `Universal` target to invoke AWS API. +Use the `Universal` target to invoke AWS API. See https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html The code snippet below creates an event rule with AWS API as the target which is called at midnight every day by EventBridge Scheduler. @@ -339,9 +339,9 @@ new Schedule(this, 'Schedule', { The `service` must be in lowercase and the `action` must be in camelCase. -By default, an IAM policy for the Scheduler is extracted from the API call. - -You can control the IAM policy for the Scheduler by specifying the `policyStatements` property. +By default, an IAM policy for the Scheduler is extracted from the API call. The action in the policy is constructed using the `service` and `action` prop. +Re-using the example above, the action will be `rds:stopDBCluster`. Note that not all IAM actions follow the same pattern. In such scenario, please use the +`policyStatements` prop to override the policy: ```ts new Schedule(this, 'Schedule', { @@ -362,3 +362,6 @@ new Schedule(this, 'Schedule', { }), }); ``` + +> Note: The default policy uses `*` in the resources field as CDK does not have a straight forward way to auto-discover the resources permission required. +> It is recommended that you scope the field down to specific resources to have a better security posture. diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts index 03b8f6734d19f..cd0f3af5c3454 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts @@ -1,5 +1,5 @@ import { IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha'; -import { Aws, Token } from 'aws-cdk-lib'; +import { Annotations, Aws, Token } from 'aws-cdk-lib'; import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam'; import { awsSdkToIamAction } from 'aws-cdk-lib/custom-resources/lib/helpers-internal'; import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target'; @@ -95,6 +95,8 @@ export class Universal extends ScheduleTargetBase implements IScheduleTarget { protected addTargetActionToRole(role: IRole): void { if (!this.props.policyStatements?.length) { + Annotations.of(role).addWarningV2('@aws-cdk/aws-scheduler-alpha:defaultWildcardResourcePolicy', + 'Default policy with * for resources is used. Use custom policy for better security posture.'); role.addToPrincipalPolicy(new PolicyStatement({ actions: [awsSdkToIamAction(this.props.service, this.props.action)], resources: ['*'], diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts index 3f6ed17061c66..48dac4c693d5e 100644 --- a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts +++ b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts @@ -1,7 +1,7 @@ import * as scheduler from '@aws-cdk/aws-scheduler-alpha'; import { Group } from '@aws-cdk/aws-scheduler-alpha'; import { App, Duration, Stack } from 'aws-cdk-lib'; -import { Template } from 'aws-cdk-lib/assertions'; +import { Annotations, Template } from 'aws-cdk-lib/assertions'; import * as iam from 'aws-cdk-lib/aws-iam'; import * as sqs from 'aws-cdk-lib/aws-sqs'; import { Universal } from '../lib/universal'; @@ -105,6 +105,11 @@ describe('Universal schedule target', () => { ], }, }); + + Annotations.fromStack(stack).hasWarning( + '*', + 'Default policy with * for resources is used. Use custom policy for better security posture. [ack: @aws-cdk/aws-scheduler-alpha:defaultWildcardResourcePolicy]', + ); }); test('creates IAM policy for provided IAM role', () => {