1

We're (mostly happily ;)) using the AWS CDK to deploy our application stack to multiple environments (e.g. production, centralized dev, individual dev). Now we want to increase the security by applying the least privilege principle to the deployment role. As the CDK code already has all the information about which services it will touch, is there a best practice as to how to generate the role definition?

Obviously it can't be a part of the stack as it is needed to deploy the stack. Is there any mechanism built in to the CDK (e.g. construct CloudFrontDistribution is used thus the deployment role needs to have the permission to create, update and delete CloudFrontDistributions - possibly even after the CloudFrontDistribution is mapped to only do that to that one distribution).

Any best practices as how to achieve that?

Chris
  • 347
  • 1
  • 11

2 Answers2

2

No. Sadly there isn't currently (2022-Q3) a way to have the CDK code also provide a IAM policy that would grant you access to run that template and nothing more.

However, everything is there to do it, and thanks to aspects it could probably be done relatively easily if you wanted to put in the leg work. I know many people in the community would love to have this.

Matthew Bonig
  • 2,001
  • 2
  • 20
  • 40
1

You run into a chicken and an egg problem here. (We encounter a similar issue with Secret Manager and initializing secrets) pretty much the only solution I've found that works is a first time setup script that uses an SDK or the CLI to run the necessary commands for that first time setup. Then you can reference that beyond there.

However, it also depends on what roles you're taking about. Cdk deploy pretty much needs access to any given resource you may be setting up - but you can limit it through users. Your kept in a secret lock box root admin setup script can setup a single power user, that can then be used for initial cdk deploys. You can set up additional user groups that have the ability to deploy cdk or have that initial setup create a cdk role that cdk deploy can assume.

lynkfox
  • 2,003
  • 1
  • 8
  • 16
  • Thanks for your answer, but I don't agree all the way. I might have went overboard with restricting on particular resources, but the CDK code already 'know' if a certain service is used, e.g. CloudFront, and you could collect many of the deployment requirements from the code - so my question is: is there a best practice or pattern for that, because I don't like to give a carte blanche do a CI/CD service. So I agree that there need to be two steps 1. generate and deploy the role (manually with an admin role) 2. use the role to (repeatedly) If you add new services, back to 1 – Chris Oct 24 '21 at 12:57
  • Well, aws general best practice regarding IAM is as you say: least privilege possible. If you're OK with having to go back to your admin role on the occasion to add additional privileges to the role then it really is the best direction - because of Least Privilege. – lynkfox Oct 24 '21 at 13:29