(BucketDeployment): Generates IAM policy not approved by CDK Nag

[markusl]

Describe the bug

Using the BucketDeployment construct generates an IAM policy which is not approved by CDK Nag tool.

Expected Behavior

Compliant policy should be generated by default or alternatively explain the reasoning in the documentation and document steps to suppress the warning.

Current Behavior

[Error at /stack/Custom::CDKBucketDeployment8693BB64968944B69AAFB0CC9EB8756C/ServiceRole/Resource] AwsSolutions-IAM4[Policy::arn:<AWS::Partition>:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole]: The IAM user, role, or group uses AWS managed policies. An AWS managed policy is a standalone policy that is created and administered by AWS. Currently, many AWS managed policies do not restrict resource scope. Replace AWS managed policies with system specific (customer) managed policies.This is a granular rule that returns individual findings that can be suppressed with 'appliesTo'. The findings are in the format 'Policy::<policy>' for AWS managed policies. Example: appliesTo: ['Policy::arn:<AWS::Partition>:iam::aws:policy/foo'].

Reproduction Steps

    new s3deploy.BucketDeployment(this, 'IncomingData', {
      destinationBucket: bucket,
      sources: [s3deploy.Source.asset('./example-data')],
      retainOnDelete: false,
    });

Possible Solution

No response

Additional Information/Context

No response

CDK CLI Version

2.96.2

Framework Version

No response

Node.js Version

18

OS

all

Language

Typescript

Language Version

No response

Other information

No response

[peterwoodworth]

You can read about suppressing rules with nag in the cdk-nag repo. We don't claim to be compliant with nag so I don't believe any explanation is necessary. If you have a way to scope down the policy to still make it work for all use cases its designed for then we could look at that as a feature request

[markusl]

@peterwoodworth Yes, we don't claim to be compliant, but i's not great developer experience. I think it would be a good goal if the built-in functionality would be compliant with best practices enforced with cdk-nag. In this case I do believe BucketDeployment functionality can be implemented with specific IAM policies instead of using AWSLambdaBasicExecutionRole.

[KhushbooKaul2002]

Hi @markusl @peterwoodworth : I faced the same issue while trying to now using Python 3_12 as my Lambda Runtime.
CDK Nag would NOT allow me to complete the synth, as the Lambda Runtime still is 3.9 in the CFN template.
My package json looks like this -

{
"name": "cdk",
"version": "0.1.0",
"bin": {
"cdk": "bin/cdk.js"
},
"scripts": {
"build": "tsc",
"watch": "tsc -w",
"test": "jest",
"cdk": "cdk"
},
"devDependencies": {
"@types/jest": "^29.5.1",
"@types/node": "20.1.7",
"aws-cdk": "^2.145.0",
"jest": "^29.5.0",
"ts-jest": "^29.1.0",
"ts-node": "^10.9.1",
"typescript": "~5.1.3"
},
"dependencies": {
"aws-cdk-lib": "^2.145.0",
"cdk-nag": "^2.28.141",
"constructs": "^10.0.0",
"source-map-support": "^0.5.21",
"update": "^0.7.4"
}
}

[meniluca]

I don't manage to find a way but to NagSuppressions the entire stack. I have tried with suppressing by path, which works only for IAM-5 when declaring a role, but not with L1. I have also tried suppressing the stack using regex with appliesTo, but the regex does not work even when putting a plain string. Any other idea?