aws-ec2: restrictDefaultSecurityGroup custom resource lambda uses basic lambda execution role, no ability to add perm boundary #31628
Labels
@aws-cdk/aws-ec2
Related to Amazon Elastic Compute Cloud
bug
This issue is a bug.
closed-for-staleness
This issue was automatically closed because it hadn't received any attention in a while.
investigating
This issue is being investigated and/or work is in progress to resolve the issue.
p2
response-requested
Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Describe the bug
If the
restrictDefaultSecurityGroup
option is enabled for ec2.Vpc, a new lambda and lambda execution role is created with the AWSLambdaBasicExecutionRole attached, which grants inappropriately broad wildcard log access.There doesn't seem to be a way to override this, or to add a permissions boundary to the lambda execution role.
There are two issues with this:
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
ec2.Vpc should:
Current Behavior
See above
Reproduction Steps
Possible Solution
see expected behavior
Additional Information/Context
No response
CDK CLI Version
2.160
Framework Version
No response
Node.js Version
20
OS
any
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: