-
Notifications
You must be signed in to change notification settings - Fork 76
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Permissions boundary to the Roles #1233
Comments
Hi @sandeephs1 thanks for the issue. This is a good feature that would harden security. The roles you were not able to find in the stack are CDK-auto created roles that are not explicitly declared in the stack. We could go to each of the CDK constructs to check the parameters, but I think an easier way of implementing permission boundaries is to apply them to all roles (including the weird-CDK created ones). We could use something like what is explained in the CDK docs. Let us know if that helps out, we can always look at other alternatives. @SofiaSazonova |
When creating environment the stack fails with below error:
After analysis it was found that:
Below command was used to bootstrap account:
Due to company security policy the <assume.boundary.policy> boundary must be applied to any IAM role created.
And since we not applying the mentioned boundary to the role above 3 role the "no permissions boundary allows the iam:CreateRole action" error message will show up if the action is blocked by a policy (and creating a boundary-less IAM role is).
So now the fix was to add the permission boundary to the 3 role created when creating environment but we did not find any create reference of the roles:
How can we add permission boundary to the above 3 roles and generically to any IAM role created in data.all?
The text was updated successfully, but these errors were encountered: