Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(events-targets): encrypted queues get too wide permissions (under feature flag) #22740

Merged
merged 4 commits into from
Nov 2, 2022
Merged

fix(events-targets): encrypted queues get too wide permissions (under feature flag) #22740

merged 4 commits into from
Nov 2, 2022

Conversation

otaviomacedo
Copy link
Contributor

When the target of an event.Rule is an encrypted sqs.Queue, we give the queue a resource policy that allows the service principal 'events.amazonaws.com' to send messages from any account. This was done to avoid circular dependencies when trying to set permissions only to the rule itself. But this decision ended up making the queue vulnerable to attacks from other accounts.

Change the policy, restricting to requests coming from the same account. To avoid a breaking change for users who may already be relying on the permissive policy, this feature has to be enabled by a feature flag.

All Submissions:

Adding new Unconventional Dependencies:

  • This PR adds new unconventional dependencies following the process described here

New Features

  • Have you added the new feature to an integration test?
    • Did you use yarn integ to deploy the infrastructure and generate the snapshot (i.e. yarn integ without --dry-run)?

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@gitpod-io
Copy link

gitpod-io bot commented Nov 2, 2022

@github-actions github-actions bot added the p2 label Nov 2, 2022
@aws-cdk-automation aws-cdk-automation requested a review from a team November 2, 2022 10:14
@otaviomacedo otaviomacedo requested review from a team and removed request for a team November 2, 2022 10:14
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Nov 2, 2022
aws-cdk-automation
aws-cdk-automation previously requested changes Nov 2, 2022
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The pull request linter has failed. See the aws-cdk-automation comment below for failure reasons. If you believe this pull request should receive an exemption, please comment and provide a justification.

@otaviomacedo otaviomacedo added the pr-linter/exempt-integ-test The PR linter will not require integ test changes label Nov 2, 2022
@otaviomacedo otaviomacedo changed the title fix(events): encrypted queues get too wide permissions fix(events-targets): encrypted queues get too wide permissions Nov 2, 2022
@otaviomacedo
Copy link
Contributor Author

Exempting integration tests, since the current integration test for the SQS Queue target already exercises this scenario.

@aws-cdk-automation aws-cdk-automation dismissed their stale review November 2, 2022 14:29

✅ Updated pull request passes all PRLinter validations. Dissmissing previous PRLinter review.

@TheRealAmazonKendra TheRealAmazonKendra changed the title fix(events-targets): encrypted queues get too wide permissions fix(events-targets): encrypted queues get too wide permissions (under feature flag) Nov 2, 2022
@mergify
Copy link
Contributor

mergify bot commented Nov 2, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: dc763a2
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit a36f2f0 into main Nov 2, 2022
@mergify mergify bot deleted the otaviom/events-sqs-source-same-account branch November 2, 2022 18:35
@mergify
Copy link
Contributor

mergify bot commented Nov 2, 2022

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@laurelmay laurelmay mentioned this pull request Dec 18, 2022
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@TheRealAmazonKendra TheRealAmazonKendra TheRealAmazonKendra approved these changes

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

Assignees
No one assigned
Labels
contribution/core This is a PR that came from AWS. p2 pr-linter/exempt-integ-test The PR linter will not require integ test changes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@otaviomacedo @aws-cdk-automation @TheRealAmazonKendra