feat(iam): Permissions Boundaries #12777
Conversation
Allow configuring Permissions Boundaries for an entire subtree using Aspects, add a sample policy which can be used to reduce future misconfiguration risk for untrusted CodeBuild projects as an example. Fixes #3242.
|
|
github-actions
bot
added
the
@aws-cdk/aws-iam
There was a problem hiding this comment.
Looks awesome! People are going to love this!
Add a note in the PR description that this is related to aws/aws-cdk-rfcs#5
| 'ec2:DescribeDhcpOptions', | ||
| 'ec2:DescribeVpcs', | ||
|
|
||
| // NOTABLY MISSING: |
There was a problem hiding this comment.
Would it make sense to add a "forbid" statements for these?
There was a problem hiding this comment.
Not really. It does the same thing.
packages/@aws-cdk/aws-iam/README.md
Outdated
| tree all at once: | ||
|
|
||
| ```ts | ||
| // This imports an existing policy. You can also create a new one. |
There was a problem hiding this comment.
Don't we also want to show how to define a new permission boundary using the CDK?
There was a problem hiding this comment.
The 99.9% use case is that a PB will have been created for you by an administrator. It only makes sense in very select cases to create one yourself. But sure.
|
Minor notes, added |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Thank you for contributing! Your pull request will be updated from master and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
AWS CodeBuild CI Report
Powered by github-codebuild-logs, available on the AWS Serverless Application Repository |
Allow configuring Permissions Boundaries for an entire subtree using Aspects, add a sample policy which can be used to reduce future misconfiguration risk for untrusted CodeBuild projects as an example. Addresses one part of aws/aws-cdk-rfcs#5. Fixes aws#3242. ALSO IN THIS COMMIT: Fix a bug in the `assert` library, where `haveResource()` would *never* match any resource that didn't have a `Properties` block (even if we tested for no property in particular, or the absence of properties). This fix caused two ECS tests to fail, which were asserting the wrong thing anyway (both were asserting `notTo(haveResource(...))` where they actually meant to assert `to(haveResource())`. ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Allow configuring Permissions Boundaries for an entire subtree using
Aspects, add a sample policy which can be used to reduce future
misconfiguration risk for untrusted CodeBuild projects as an example.
Addresses one part of aws/aws-cdk-rfcs#5.
Fixes #3242.
ALSO IN THIS COMMIT:
Fix a bug in the
assertlibrary, wherehaveResource()would never matchany resource that didn't have a
Propertiesblock (even if we tested for no propertyin particular, or the absence of properties). This fix caused two ECS tests to fail,
which were asserting the wrong thing anyway (both were asserting
notTo(haveResource(...))where they actually meant to assert
to(haveResource()).By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license