AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Using CDK with the Control Tower-provided AWSPowerUserAccess role

0

Hi all,

I recently switched to Control Tower but now run into an issue when running cdk bootstrap, whilst using a profile with the AWSPowerUserAccess role. I'm using SSO token provider configuration. e.g.

cdk bootstrap --profile dev aws://123456789012/eu-west-3

returns,

 ⏳  Bootstrapping environment aws://123456789012/eu-west-3...
Trusted accounts for deployment: (none)
Trusted accounts for lookup: (none)
Using default execution policy of 'arn:aws:iam::aws:policy/AdministratorAccess'. Pass '--cloudformation-execution-policies' to customize.
CDKToolkit: creating CloudFormation changeset...
11:46:04 | CREATE_FAILED        | AWS::IAM::Role          | FilePublishingRole
API: iam:GetRole User: arn:aws:sts::123456789012:assumed-role/AWSReservedSSO_AWSPowerUserAccess_1243765abc961fa/my.email@address.com is not authorized to perform: iam:GetRole on resource:
role cdk-hnh864has-file-publishing-role-123456789012-eu-west-3 because no identity-based policy allows the iam:GetRole action

I cannot modify permissions for the AWSPowerUserAccess role, so I'm wondering if I should be using this role at all for CDK. Should my bootstrap command include more arguments? Should I create a CDKUserAccess role? Should I create a custom stack synthesizer? Any thoughts on the 'right' way to proceed would be welcome.

Thanks Gary

  • gary
    일 년 전

    ... I bootstrapped this environment with my admin profile, and then cdk deployed with the dev profile. This approach worked for me, but was it the right thing to do?

    Thanks Gary

주제
보안, 신원 및 규정 준수AWS Cloud 개발 키트(CDK)
태그
AWS 자격 증명 및 액세스 관리AWS Cloud 개발 키트(CDK)
언어
English
gary
질문됨 일 년 전430회 조회
1개 답변
1
수락된 답변

Hi. Gary.

I bootstrapped this environment with my admin profile, and then cdk deployed with the dev profile. This approach worked for me, but was it the right thing to do?

It seems fine. According to CDK Security and Safety Dev Guide[1], it recommends to use AdministratorAccess priviledges to execute cdk bootstrap.

Bootstrapping itself is a one-time operation performed by AWS account administrators, and we recommend executing it using AdministratorAccess privileges. This makes sure you are safe against future changes, and since the bootstrapping process will—by design—create new Roles with arbitrary policies anyway, there is no real benefit to restricting the permissions.

And when deploying, Guide[1] recommends to use deny listing permission. You know,PowerUserAccess policy is deny listing permission, so it looks fine.

As you can see, allow listing permissions for infrastructure deployments is a tricky process and we do not recommend using this strategy.

The best practice about CDK security will mentioned in Guide[1]. So please check it.

[1] https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide

profile picture
전문가
Hiroki Takahashi
답변함 일 년 전
  • gary
    일 년 전

    Thanks _takahash.

    I did try cdk bootstrap --cloudformation-execution-policies [arn:...admin] etc but that had issues, so I'm happy I found a good path

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠