chore: add support for IAM Identity Center in security diff (#1052)

For issue aws/aws-cdk#29835 This is the first of 2 PRs. The other PR will be to the main aws-cdk repository. Notice that AWS::SSO::PermissionSet has a property called `ManagedPolicies`. That's why I add that property check. And judging by the db.json that we create in this package (the service spec), AWS::SSO::PermissionSet is the only resource with that property name: ``` (18:36:39) bergjak@bcd074b101ed ~/workplace/CDK/awscdk-service-spec AwsSsoFix ✔ ➜ cat ~/db.json4 | jq '.schema.resource.entities.[]' | jq '.properties' | grep ManagedPolicies "scrutinizable": "ManagedPolicies" "scrutinizable": "ManagedPolicies" "scrutinizable": "ManagedPolicies" "scrutinizable": "ManagedPolicies" "scrutinizable": "CustomerManagedPolicies" "ManagedPolicies": { "scrutinizable": "ManagedPolicies" ``` AWS::SSO is the IAM Identity Center, and therefore changes to AWS SSO resources are security sensitive. Hence the issue. ### Testing As you'll see in the next pull request, I have integration tests for this change * Here is the PR with all the testing aws/aws-cdk#30009
cdklabs · Apr 30, 2024 · f1e77e8 · f1e77e8
1 parent 9d2f5cd
commit f1e77e8
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 2 deletions.
diff --git a/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts b/packages/@aws-cdk/aws-service-spec/build/scrutinies.ts
@@ -57,8 +57,8 @@ export class Scrutinies {
   private autoPropertyScrutiny(propertyName: string, property: Property): PropertyScrutinyType | undefined {
     const richDb = new RichSpecDatabase(this.db);
 
-    // Detect fields named like ManagedPolicyArns
-    if (propertyName === 'ManagedPolicyArns') {
+    // Detect fields named like ManagedPolicyArns or ManagedPolicies (AWS::SSO::PermissionSet, for example)
+    if (propertyName === 'ManagedPolicyArns' || propertyName === 'ManagedPolicies') {
       return PropertyScrutinyType.ManagedPolicies;
     }
 
@@ -93,6 +93,12 @@ export class Scrutinies {
     this.setResourceScrutiny('AWS::EC2::SecurityGroupEgress', ResourceScrutinyType.EgressRuleResource);
     this.setPropertyScrutiny('AWS::EC2::SecurityGroup', 'SecurityGroupIngress', PropertyScrutinyType.IngressRules);
     this.setPropertyScrutiny('AWS::EC2::SecurityGroup', 'SecurityGroupEgress', PropertyScrutinyType.EgressRules);
+
+    // AWS IAM Identity Center (formerly AWS SSO)
+    // eslint-disable-next-line prettier/prettier
+    this.setResourceScrutiny('AWS::SSO::InstanceAccessControlAttributeConfiguration', ResourceScrutinyType.SsoInstanceACAConfigResource);
+    this.setResourceScrutiny('AWS::SSO::Assignment', ResourceScrutinyType.SsoAssignmentResource);
+    this.setResourceScrutiny('AWS::SSO::PermissionSet', ResourceScrutinyType.SsoPermissionSet);
   }
 
   private setResourceScrutiny(cfnType: string, scrutiny: ResourceScrutinyType) {

diff --git a/packages/@aws-cdk/service-spec-types/src/types/resource.ts b/packages/@aws-cdk/service-spec-types/src/types/resource.ts
@@ -400,6 +400,27 @@ export enum ResourceScrutinyType {
    * A set of egress rules
    */
   EgressRuleResource = 'EgressRuleResource',
+
+  /**
+   * AWS::SSO::Assignment
+   *
+   * IAM Identity Center (formerly known as SSO)
+   */
+  SsoAssignmentResource = 'SsoAssignmentResource',
+
+  /**
+   * AWS::SSO::InstanceAccessControlAttributeConfiguration
+   *
+   * IAM Identity Center (formerly known as SSO)
+   */
+  SsoInstanceACAConfigResource = 'SsoInstanceACAConfigResource',
+
+  /**
+   * AWS::SSO::PermissionSet
+   *
+   * IAM Identity Center (formerly known as SSO)
+   */
+  SsoPermissionSet = 'SsoPermissionSet',
 }
 
 /**