Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

(stepfunctions-tasks): Security action for EcsRunTask #30368

Closed
1 of 2 tasks
kackyt opened this issue May 29, 2024 · 6 comments · Fixed by #30389, codu-code/codu#969 or rwlxxvii/containers#185 · May be fixed by NOUIY/aws-solutions-constructs#112 or gitafolabi/kreuzlaker#2
Closed
1 of 2 tasks

(stepfunctions-tasks): Security action for EcsRunTask #30368

kackyt opened this issue May 29, 2024 · 6 comments · Fixed by #30389, codu-code/codu#969 or rwlxxvii/containers#185 · May be fixed by NOUIY/aws-solutions-constructs#112 or gitafolabi/kreuzlaker#2
Labels
@aws-cdk/aws-stepfunctions-tasks effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2

Comments

@kackyt
Copy link
Contributor

kackyt commented May 29, 2024
edited
Loading

Describe the feature

The following message has been received by AWS users and needs to be addressed to be compliant in granting permissions when using EcsRunTask.

We are contacting you due to an issue with the Amazon Elastic Container Service (Amazon ECS) API that requires action: RunTask , StartTask, CreateService, and CreateTaskSet, When calling the RunTask, StartTask, CreateService, CreateTaskSet, or UpdateService APIs, users can specify the revision number of a task definition to launch a specific version of that task. We have identified an inconsistency in the way Identity and Access Management (IAM) policies are applied during request authentication for the above APIs. Specifically, when the API is invoked without the revision number of the task definition, it could be interpreted differently if the revision number of the task definition family is not specified in the resource condition key. As a result, the latest version of the task was selected. We have implemented a fix and have verified that the service is working as expected.
We have verified that your account sent a request to one or more of the affected ECS APIs. We recommend that you review the policies listed in the “Affected Resources” tab to ensure that the resource condition key specifying the task definition family contains the revision number. To allow time to review and make any necessary changes, we are adding your account to the permit list until October 15, 2024; if you wish to remove your account from the permit list prior to October 15, 2024, please create an AWS Support Case [see below]. If you do not perform the action by that date, any calls to the affected APIs will return an AccessDeniedException error message.
After October 15, 2024, to properly apply IAM policy-based decisions, you must specify the revision number or task definition family wildcard ('*') when using a task definition ARN as the resource type.

Use Case

When executing ECS task from StepFunctions using EcsRunTask in stepfunctions-tasks.

Proposed Solution

Remove the Ecs Task Family from the IAMResource permission policy.

aws-cdk/packages/aws-cdk-lib/aws-stepfunctions-tasks/lib/ecs/run-task.ts

Line 355 in c8f2646

taskDefinitionFamilyArn, 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "ecs:RunTask",
      "Resource": [
          "arn:aws:ecs:*:*:task-definition/sleep360",   // here
          "arn:aws:ecs:*:*:task-definition/sleep360:*",
       ]
    }
  ]
}

Other Information

related issue #12080 #27891

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.143.0

Environment details (OS name and version, etc.)

macOS,Linux,Windows
@kackyt kackyt added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 29, 2024
@pahud
Copy link
Contributor

pahud commented May 29, 2024

Yap according to this doc
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/security_iam_id-based-policy-examples.html#IAM_run_policies

Looks like we should include this only:

            "Resource": ["arn:aws:ecs:<region>:<aws_account_id>:task-definition/<task_family>:*"]

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 29, 2024
@msambol
Copy link
Contributor

msambol commented May 30, 2024

I'll take this since it's related to my previous PR.

@msambol msambol mentioned this issue May 30, 2024
Merged
@blimmer
Copy link
Contributor

blimmer commented May 30, 2024
edited
Loading

This is also relevant for other targets, such as https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_events_targets-readme.html#run-an-ecs-task.

EDIT: I filed #30390 to keep it separate.

@blimmer blimmer mentioned this issue May 30, 2024
Closed
This was referenced Jun 1, 2024
Closed
Closed
@mergify mergify bot closed this as completed in #30389 Jun 24, 2024
@mergify mergify bot closed this as completed in 8ebfade Jun 24, 2024
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

1 similar comment
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-stepfunctions-tasks effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
5 participants
@pahud @blimmer @msambol @kackyt @aws-cdk-automation