- Newest
- Most votes
- Most comments
Hi. Gary.
I bootstrapped this environment with my admin profile, and then cdk deployed with the dev profile. This approach worked for me, but was it the right thing to do?
It seems fine.
According to CDK Security and Safety Dev Guide[1], it recommends to use AdministratorAccess
priviledges to execute cdk bootstrap.
Bootstrapping itself is a one-time operation performed by AWS account administrators, and we recommend executing it using AdministratorAccess privileges. This makes sure you are safe against future changes, and since the bootstrapping process will—by design—create new Roles with arbitrary policies anyway, there is no real benefit to restricting the permissions.
And when deploying, Guide[1] recommends to use deny listing permission. You know,PowerUserAccess
policy is deny listing permission, so it looks fine.
As you can see, allow listing permissions for infrastructure deployments is a tricky process and we do not recommend using this strategy.
The best practice about CDK security will mentioned in Guide[1]. So please check it.
[1] https://github.com/aws/aws-cdk/wiki/Security-And-Safety-Dev-Guide
Thanks _takahash.
I did try
cdk bootstrap --cloudformation-execution-policies [arn:...admin] etc
but that had issues, so I'm happy I found a good path
Relevant content
- asked 17 days ago
- asked 7 months ago
- AWS OFFICIALUpdated 10 months ago
- How can I troubleshoot issues when I use the AWS Load Balancer Controller to create a load balancer?AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 8 months ago
... I bootstrapped this environment with my admin profile, and then cdk deployed with the dev profile. This approach worked for me, but was it the right thing to do?
Thanks Gary