Skip to content

Commit

Permalink
Update cdkExecPolicy.yaml to cleanup overly excessive permissions (#1085
Browse files Browse the repository at this point in the history 
)

### Feature or Bugfix
BugFix

### Detail
This PR is to address overly excessive permissions for cdk custom
execution policy for linking accounts that are reported by checkov.

### Relates
#876

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized? N/A
- What precautions are you taking before deserializing the data you
consume? N/A
  - Is injection prevented by parametrizing queries? N/A
  - Have you ensured no `eval` or similar functions are used? N/A
- Does this PR introduce any functionality or component that requires
authorization? N/A
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
N/A
  - Are you logging failed auth attempts? N/A
- Are you using or adding any cryptographic features? N/A
  - Do you use a standard proven implementations? N/A
- Are the used keys controlled by the customer? Where are they stored?
N/A
- Are you introducing any new policies/roles/users? N/A
- Have you used the least-privilege principle? How? Yes. Restricted
overly permissive permissions to required resources.


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.

---------

Co-authored-by: Noah Paige <noahpaig@amazon.com>
  • Loading branch information
@mourya-33 @noah-paige
mourya-33 and noah-paige authored Apr 5, 2024
1 parent e4b670e commit 071e4e2
Show file tree
Hide file tree
Showing 2 changed files with 167 additions and 80 deletions.
241 changes: 162 additions & 79 deletions deploy/cdk_exec_policy/cdkExecPolicy.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,60 @@ Parameters:
EnvironmentResourcePrefix:
Description: The resource prefix value of the dataall environment. It MUST match the resource prefix that we use when we create the environment.
Type: String
NotebooksEnabled:
Description: Whether Notebooks are enabled on this Data.all Environment.
Type: String
Default: "true"
AllowedValues:
- "true"
- "false"
MLStudioEnabled:
Description: Whether ML Studio is enabled on this Data.all Environment
Type: String
Default: "true"
AllowedValues:
- "true"
- "false"
PipelinesEnabled:
Description: Whether Pipelines are enabled on this Data.all Environment
Type: String
Default: "true"
AllowedValues:
- "true"
- "false"
DashboardsEnabled:
Description: Whether Dashboards are enabled on this Data.all Environment
Type: String
Default: "true"
AllowedValues:
- "true"
- "false"

Conditions:
NotebooksEnabledCondition:
!Equals
- !Ref NotebooksEnabled
- "true"
MLStudioEnabledCondition:
!Equals
- !Ref MLStudioEnabled
- "true"
SagemakerComponentsEnabledCondition: !Or
- !Equals
- !Ref NotebooksEnabled
- "true"
- !Equals
- !Ref MLStudioEnabled
- "true"
PipelinesEnabledCondition:
!Equals
- !Ref PipelinesEnabled
- "true"
DashboardsEnabledCondition:
!Equals
- !Ref DashboardsEnabled
- "true"

Resources:
CDKCustomExecutionPolicy0:
Type: 'AWS::IAM::ManagedPolicy'
Expand Down Expand Up @@ -56,25 +110,38 @@ Resources:
- 'iam:*Role*'
Resource: !Sub 'arn:${AWS::Partition}:iam::*:role/cdk-*'

- Sid: Quicksight
Effect: Allow
Action:
- 'ds:AuthorizeApplication'
- 'ds:UnauthorizeApplication'
- 'ds:CheckAlias'
- 'ds:CreateAlias'
- 'ds:Describe*'
- 'ds:DeleteDirectory'
- 'ds:CreateIdentityPoolDirectory'
- 'quicksight:CreateAdmin'
- 'quicksight:CreateUser'
- 'quicksight:Subscribe'
- 'quicksight:Get*'
- 'quicksight:SearchDirectoryGroups'
- 'quicksight:SetGroupMapping'
- 'quicksight:RegisterUser'
- 'quicksight:Describe*'
Resource: '*'
- !If
- DashboardsEnabledCondition
- Sid: Quicksight
Effect: Allow
Action:
- 'ds:AuthorizeApplication'
- 'ds:UnauthorizeApplication'
- 'ds:CheckAlias'
- 'ds:CreateAlias'
- 'ds:Describe*'
- 'ds:DeleteDirectory'
- 'ds:CreateIdentityPoolDirectory'
- 'quicksight:CreateAdmin'
- 'quicksight:CreateUser'
- 'quicksight:Subscribe'
- 'quicksight:Get*'
- 'quicksight:SearchDirectoryGroups'
- 'quicksight:SetGroupMapping'
- 'quicksight:RegisterUser'
- 'quicksight:Describe*'
Resource:
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:user/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:datasource/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:dataset/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:analysis/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:dashboard/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:group/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:folder/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:template/*'
- !Sub 'arn:${AWS::Partition}:quicksight:${AWS::Region}:${AWS::AccountId}:theme/*'
- !Sub 'arn:${AWS::Partition}:ds:${AWS::Region}:${AWS::AccountId}:user/*'
- !Ref AWS::NoValue

- Sid: QuicksightDeny
Effect: Deny
Expand Down Expand Up @@ -152,20 +219,23 @@ Resources:
- 'sqs:GetQueueAttributes'
Resource: !Sub 'arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${EnvironmentResourcePrefix}*'

- Sid: Sagemaker
Effect: Allow
Action:
- 'sagemaker:*Tag*'
- 'sagemaker:*Domain'
- 'sagemaker:CreateApp'
- 'sagemaker:CreateUserProfile'
- 'sagemaker:DescribeUserProfile'
- 'sagemaker:DeleteUserProfile'
- 'sagemaker:*NotebookInstance'
Resource:
- !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:domain/*'
- !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:user-profile/*'
- !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/${EnvironmentResourcePrefix}*'
- !If
- SagemakerComponentsEnabledCondition
- Sid: Sagemaker
Effect: Allow
Action:
- 'sagemaker:*Tag*'
- 'sagemaker:*Domain'
- 'sagemaker:CreateApp'
- 'sagemaker:CreateUserProfile'
- 'sagemaker:DescribeUserProfile'
- 'sagemaker:DeleteUserProfile'
- 'sagemaker:*NotebookInstance'
Resource:
- !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:domain/*'
- !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:user-profile/*'
- !Sub 'arn:${AWS::Partition}:sagemaker:${AWS::Region}:${AWS::AccountId}:notebook-instance/${EnvironmentResourcePrefix}*'
- !Ref AWS::NoValue

- Sid: SSM
Effect: Allow
Expand Down Expand Up @@ -196,9 +266,9 @@ Resources:
Effect: Allow
Action:
- 'cloudformation:*'
Resource:
Resource:
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/CDKToolkit/*'
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/${EnvironmentResourcePrefix}*'
- !Sub 'arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:stack/{EnvironmentResourcePrefix}*'

- Sid: ECR
Effect: Allow
Expand All @@ -218,55 +288,68 @@ Resources:
- 'glue:*'
Resource: '*'

- Sid: EC2
Effect: Allow
Action:
- 'ec2:Describe*'
- 'ec2:*SecurityGroup*'
- 'ec2:Create*'
- 'ec2:*InternetGateway*'
- 'ec2:Associate*'
- 'ec2:Disassociate*'
- 'ec2:Delete*'
- 'ec2:Modify*'
- 'ec2:Get*'
- 'ec2:*Address'
- 'elasticfilesystem:CreateFileSystem'
- 'elasticfilesystem:TagResource'
- 'elasticfilesystem:UntagResource'
- 'elasticfilesystem:DeleteFileSystem'
Resource: '*'
- !If
- SagemakerComponentsEnabledCondition
- Sid: EC2
Effect: Allow
Action:
- 'ec2:Describe*'
- 'ec2:*SecurityGroup*'
- 'ec2:Create*'
- 'ec2:*InternetGateway*'
- 'ec2:Associate*'
- 'ec2:Disassociate*'
- 'ec2:Delete*'
- 'ec2:Modify*'
- 'ec2:Get*'
- 'ec2:*Address'
- 'elasticfilesystem:CreateFileSystem'
- 'elasticfilesystem:TagResource'
- 'elasticfilesystem:UntagResource'
- 'elasticfilesystem:DeleteFileSystem'
Resource: '*'
- !Ref AWS::NoValue

- Sid: EC2Deny
Effect: Deny
Action:
- 'ec2:*Instance*'
Resource: '*'

- Sid: CodePipeline
Effect: Allow
Action:
- 'codepipeline:*Tag*'
- 'codepipeline:CreatePipeline'
- 'codepipeline:UpdatePipeline'
- 'codepipeline:StartPipelineExecution'
- 'codepipeline:GetPipeline*'
- 'codepipeline:List*'
- 'codepipeline:DeletePipeline'
- 'codestar-notifications:List*'
- 'codestar-notifications:DescribeNotificationRule'
- 'codecommit:Create*'
- 'codecommit:DeleteRepository'
- 'codecommit:*Tag*'
- 'codebuild:*Project*'
Resource: '*'
- !If
- PipelinesEnabledCondition
- Sid: CodePipeline
Effect: Allow
Action:
- 'codepipeline:*Tag*'
- 'codepipeline:CreatePipeline'
- 'codepipeline:UpdatePipeline'
- 'codepipeline:StartPipelineExecution'
- 'codepipeline:GetPipeline*'
- 'codepipeline:List*'
- 'codepipeline:DeletePipeline'
- 'codecommit:Create*'
- 'codecommit:DeleteRepository'
- 'codecommit:*Tag*'
- 'codebuild:*Project*'
Resource:
- !Sub 'arn:${AWS::Partition}:codecommit:${AWS::Region}:${AWS::AccountId}:${EnvironmentResourcePrefix}*'
- !Sub 'arn:${AWS::Partition}:codepipeline:${AWS::Region}:${AWS::AccountId}:${EnvironmentResourcePrefix}*'
- !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/${EnvironmentResourcePrefix}*'
- !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/DDKCodePipelineBuildSynthCd*'
- !Sub 'arn:${AWS::Partition}:codebuild:${AWS::Region}:${AWS::AccountId}:project/DDKCodePipelineUpdatePipelineSelfMutation'
- !Ref AWS::NoValue

- Sid: Events
Effect: Allow
Action:
- 'events:PutRule'
- 'events:DescribeRule'
- 'events:PutTargets'
- 'events:RemoveTargets'
- 'events:DeleteRule'
Resource: '*'
- !If
- PipelinesEnabledCondition
- Sid: Events
Effect: Allow
Action:
- 'events:PutRule'
- 'events:DescribeRule'
- 'events:PutTargets'
- 'events:RemoveTargets'
- 'events:DeleteRule'
Resource:
- !Sub 'arn:${AWS::Partition}:events:${AWS::Region}:${AWS::AccountId}:rule/${EnvironmentResourcePrefix}*'
- !Ref AWS::NoValue
6 changes: 5 additions & 1 deletion frontend/src/modules/Environments/views/EnvironmentCreateForm.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,7 +325,11 @@ const EnvironmentCreateForm = (props) => {
CloudFormation (i.e. CDK Execution Policy). You optionally
can use the below CloudFormation template to create the
custom IAM policy that is more restrictive than the
default <b>AdministratorAccess</b> policy.
default <b>AdministratorAccess</b> policy. To remove
permissions associated to the environment features -
Notebooks, MLStudio, Pipelines and Dashboards, please set
the respective parameters to <b>false</b> in the
CloudFormation template (default is true).
</Typography>
<Button
color="primary"
Expand Down

0 comments on commit 071e4e2

Please sign in to comment.