(DynamoDB): Table generates policies not compliant with Security Hub

[nekvinder]

Describe the bug

Aws CDK's DynamoDB Table generated resources are not compliant with Security Hub policy IAM.21 - https://docs.aws.amazon.com/securityhub/latest/userguide/securityhub-standards-fsbp-controls.html#fsbp-iam-21

The CDK generates a policy with wildcard actions for dynamodb actions as dynamodb:*
The following are the related policy description: DynamoDB replication managed policy for table <table_name>

aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/table.ts

Lines 1579 to 1583 in 75bfce7

	const onEventHandlerPolicy = new SourceTableAttachedPolicy(this, provider.onEventHandler.role!);
	const isCompleteHandlerPolicy = new SourceTableAttachedPolicy(this, provider.isCompleteHandler.role!);
	// Permissions in the source region
	this.grant(onEventHandlerPolicy, 'dynamodb:*');

Expected Behavior

The attached policies should describe each required action in them.

Current Behavior

The CDK generates a policy with wildcard actions for dynamodb actions as dynamodb:*

Reproduction Steps

• Use AWS CDK to create a dynamodb table

  const globalTable = new dynamodb.Table(this, 'Table', {
    partitionKey: { name: 'id', type: dynamodb.AttributeType.STRING },
    replicationRegions: ['us-east-1', 'eu-central-1'],
    billingMode: dynamodb.BillingMode.PROVISIONED,
  });
  

• Go to AWS Security Hub and watch the above-created resource, it would be non compliant with Security Hub Policy - securityhub-iam-policy-no-statements-with-full-access-****** (arn:aws:config:::config-rule/aws-service-rule/securityhub.amazonaws.com/config-rule-nn****)**

Possible Solution

Put the exact actions required here.

aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/table.ts

Line 1583 in 75bfce7

this.grant(onEventHandlerPolicy, 'dynamodb:*');

Additional Information/Context

No response

CDK CLI Version

2.20.0

Framework Version

No response

Node.js Version

14.19.1

OS

Ubuntu 22.04 LTS

Language

Typescript

Language Version

3.9.7

Other information

No response

[watany-dev]

After checking the corresponding function, I think that it will probably work if the following two actions are added. i will embark on this.

• dynamodb:DescribeTable

  • aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/replica-handler/index.ts

    Line 23 in 75bfce7

    const describeTableResult = await dynamodb.describeTable({

• dynamodb: UpdateTable

  • aws-cdk/packages/@aws-cdk/aws-dynamodb/lib/replica-handler/index.ts

    Line 32 in 75bfce7

    const data = await dynamodb.updateTable({

[rix0rrr]

This issue was for the existing Table construct, which used custom resources to implement table replication. We no longer recommend the use of the Table construct.

Instead, the TableV2 construct has been released in 2.95.1 (#27023) which maps to the AWS::DynamoDB::GlobalTable resource, has better support for replication and does not suffer from the issue described here.

---

Be aware that there are additional deployment steps involved in a migration from Table to TableV2. You need to do a RETAIN deployment, a delete deployment, then change the code to use TableV2 and then use cdk import. A link to a full guide will be posted once it is available.

Here are some other resources to get you started (using CfnGlobalTable instead of TableV2) if you want to get going on the migration:

• Migrating from Table to CfnGlobalTable, by Samaneh Utter, an AWS Senior Solutions Architect
• AWS CDK and Amazon DynamoDB Global Tables, by Wojciech Matuszewski from Stedi
• Migrating from Table to CfnGlobalTable, by Sharon Diskin from CloudBit