Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Permissions boundary to the Roles #1233

Open
sandeephs1 opened this issue Apr 30, 2024 · 1 comment
Open

Add Permissions boundary to the Roles #1233

sandeephs1 opened this issue Apr 30, 2024 · 1 comment
Labels
type: enhancement Feature enhacement type: question Further information is requested

Comments

@sandeephs1
Copy link

When creating environment the stack fails with below error:

 ❌ Deployment failed: Error: 
 The stack named dcx-environment-fw7u9n8k failed creation, it may need to be manually deleted from the AWS console: ROLLBACK_COMPLETE: Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve.
 Resource handler returned message: "User: arn:aws:sts::123456789:assumed-role/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789:role/dcx-environment-fw7u9n8k-CustomCDKBucketDeployment8-vSxeN4TiSEFk because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: 777a2667-9afc-4343-88a8-d704fbda2851)"" (RequestToken: 78573905-88eb-a02a-93ec-9efb80fb03e0, HandlerErrorCode: UnauthorizedTaggingOperation), 
 Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::123456789:assumed-role/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789:role/dcx-environment-fw7u9n8k-dcxLakeformationDefaultSet-rGXTGxO5E8Kg because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: 4b0ee857-0ae5-452e-a9a3-0e5ace86554c)"" (RequestToken: 05118eea-511b-7f8f-c02e-71176926b357, HandlerErrorCode: UnauthorizedTaggingOperation), 
 Resource handler returned message: "Encountered a permissions error performing a tagging operation, please add required tag permissions. See https://repost.aws/knowledge-center/cloudformation-tagging-permission-error for how to resolve. Resource handler returned message: "User: arn:aws:sts::123456789:assumed-role/cdk-hnb659fds-cfn-exec-role-123456789-eu-west-1/AWSCloudFormation is not authorized to perform: iam:CreateRole on resource: arn:aws:iam::123456789:role/dcx-environment-fw7u9n8k-dcxGlueDbCustomResourcePro-LS3rSytMadV4 because no permissions boundary allows the iam:CreateRole action (Service: Iam, Status Code: 403, Request ID: b03f8634-0679-471d-b43c-56d37e21fe0e)

After analysis it was found that:
Below command was used to bootstrap account:

aws cloudformation deploy \
  --profile "destination-account" \
  --region "${REGION}"\
  --stack-name "${STACK_NAME}" \
  --template-file ./bootstrap-template.yaml \
  --parameter-overrides InputPermissionsBoundary=<assume.boundary.policy> \
                        TrustedAccounts="${ACCOUNT_ID}" \
                        TrustedAccountsForLookup="${ACCOUNT_ID}" \
                        CloudFormationExecutionPolicies="arn:aws:iam::aws:policy/AdministratorAccess" \
  --capabilities CAPABILITY_NAMED_IAM

Due to company security policy the <assume.boundary.policy> boundary must be applied to any IAM role created.
And since we not applying the mentioned boundary to the role above 3 role the "no permissions boundary allows the iam:CreateRole action" error message will show up if the action is blocked by a policy (and creating a boundary-less IAM role is).

So now the fix was to add the permission boundary to the 3 role created when creating environment but we did not find any create reference of the roles:

dcx-environment-<environmentUri>-CustomCDKBucketDeployment8-<Uri>
dcx-environment-<environmentUri>-dcxGlueDbCustomResourcePro-<Uri>
dcx-environment-<environmentUri>-dcxLakeformationDefaultSet-<Uri>

How can we add permission boundary to the above 3 roles and generically to any IAM role created in data.all?
@dlpzx dlpzx added type: enhancement Feature enhacement type: question Further information is requested labels Apr 30, 2024
@dlpzx
Copy link
Contributor

dlpzx commented Apr 30, 2024

Hi @sandeephs1 thanks for the issue. This is a good feature that would harden security. The roles you were not able to find in the stack are CDK-auto created roles that are not explicitly declared in the stack. We could go to each of the CDK constructs to check the parameters, but I think an easier way of implementing permission boundaries is to apply them to all roles (including the weird-CDK created ones). We could use something like what is explained in the CDK docs.

Let us know if that helps out, we can always look at other alternatives. @SofiaSazonova

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: enhancement Feature enhacement type: question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sandeephs1 @dlpzx