Skip to content

fix(dynamodb): some grant methods generate incorrect policies. #34575

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(dynamodb): some grant methods generate incorrect policies. #34575

wants to merge 4 commits into from

Conversation

@tam0ri
Copy link
Contributor

@tam0ri tam0ri commented May 29, 2025
edited
Loading

Issue

Problem 1

Generated policy by grantStreamRead and grantTableListStreams includes dynamodb:ListStreams as action, but stream ARN is specified as resource currently. ListStreams API does not support resource-level permissions, so generated policy will not grant access. Similar issue was fixed in Table v1 by #10631.

Problem 2

Generated policy by grantReadData and grantReadWriteData includes dynamodb:GetRecords and dynamodb:GetShardIterator as action, but table ARN is specified as resource currently. Those actions support only stream for resource-level permissions, so generated policy will not grant access to do those 2 actions. Those permissions should be granted by grantStreamRead.

Description of changes

  • Correct resource from specific stream ARN to wildcard ('*') in grantTableListStreams
  • Remove dynamodb:GetRecords and dynamodb:GetShardIterator from grantReadData and grantReadWriteData

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation aws-cdk-automation requested a review from a team May 29, 2025 07:23
@github-actions github-actions bot added star-contributor [Pilot] contributed between 25-49 PRs to the CDK p2 labels May 29, 2025
aws-cdk-automation
aws-cdk-automation previously requested changes May 29, 2025
View reviewed changes
Copy link
Collaborator

@aws-cdk-automation aws-cdk-automation left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(This review is outdated)

@aws-cdk-automation aws-cdk-automation dismissed their stale review May 31, 2025 00:01

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.

@aws-cdk-automation
Copy link
Collaborator

aws-cdk-automation commented May 31, 2025

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: 9482c63
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@aws-cdk-automation aws-cdk-automation added the pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. label May 31, 2025
@tam0ri
Copy link
Contributor Author

tam0ri commented May 31, 2025

Exemption Request:
Security Guardian reported 3 issues by intrinsic scan. All of them are KMS key policies. However, it does not mean grant permissions to whole IAM principals under the account.
https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html

When the principal in a key policy statement is an AWS account principal expressed as arn:aws:iam::111122223333:root", the policy statement doesn't give permission to any IAM principal. Instead, it gives the AWS account permission to use IAM policies to delegate the permissions specified in the key policy. (A principal in arn:aws:iam::111122223333:root" format does not represent the AWS account root user, despite the use of "root" in the account identifier.

@aws-cdk-automation aws-cdk-automation added the pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. label May 31, 2025
@github-actions github-actions bot mentioned this pull request Jun 1, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aws-cdk-automation aws-cdk-automation aws-cdk-automation left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

p2 pr/needs-community-review This PR needs a review from a Trusted Community Member or Core Team Member. pr-linter/exemption-requested The contributor has requested an exemption to the PR Linter feedback. star-contributor [Pilot] contributed between 25-49 PRs to the CDK

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tam0ri @aws-cdk-automation