Aws-cdk: RFC: missing security-impacting changes from cdk diff "scrutiny report"

Created on 6 Dec 2018 · 11Comments · Source: aws/aws-cdk

How's our driving?

Summary

CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:

This deployment will make potentially sensitive changes.
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────────────┬────────┬───────────────────────┬──────────────────────────────┬─────────────────────────────────┐
│   │ Resource                │ Effect │ Action                │ Principal                    │ Condition                       │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo}                 │ Allow  │ lambda:InvokeFunction │ Service:sns.amazonaws.com    │ "ArnLike": {                    │
│   │                         │        │                       │                              │   "AWS:SourceArn": "${MyTopic}" │
│   │                         │        │                       │                              │ }                               │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ Allow  │ sts:AssumeRole        │ Service:lambda.amazonaws.com │                                 │
└───┴─────────────────────────┴────────┴───────────────────────┴──────────────────────────────┴─────────────────────────────────┘
IAM Policy Changes
┌───┬─────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                │ Managed Policy ARN                                                             │
├───┼─────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴─────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘

Do you wish to deploy these changes (y/n)?

Request for comments

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?

SECURITY feature-request packagtools

Source

rix0rrr

👍10

Most helpful comment

@insanitybit cdk deploy --require-approval=never might resolve your issue.

davidbarsky on 20 May 2019

👍6 🚀1 😕1

All 11 comments

Here's a known list of resources that are not currently included in the diff:

[ ] AWS::IAM::User
[ ] Network ACLs

rix0rrr on 6 Dec 2018

I like this in principal, but is there a way to opt out? Sometimes I'm working on a dev setup, and it takes ~15-20 minutes to run all of my cdk deployments. Having to sit there and hit 'y' is actually quite a pain, and really slows me down. If I could run the deployment script I have and walk away from the computer, it would be great.

A flag like --accept-scrutiny-report would be really helpful for me.

insanitybit on 19 May 2019

@insanitybit cdk deploy --require-approval=never might resolve your issue.

davidbarsky on 20 May 2019

👍6 🚀1 😕1

That looks like it'd be exactly what I want, thanks.

insanitybit on 20 May 2019

Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not.

skinny85 on 22 May 2019

👍1

"_CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:_"

My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ):
I've just noticed that cdk diff is not displaying the ChangeSet in the AWS CF Console.
Why ? Any reason for that ?
( seeing the ChangeSet in AWS CF Console history is too late with cdk deploy)

I like seeing the changes in console using cdk diff but they should be identical to what I should be visualising in AWS CF ChangeSet before applying them. Are they identical ?

oups - just noticed this has been closed ...

emanserav on 29 Oct 2019

👍1

Still relevant.

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?

Although the issue is closed, the conversation is not locked.