fix: Fixed trust condition in modules/iam-github-oidc-role to be https #490
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…orrecting this to use HTTPS Adding a pull request to remediate a potential security issue within the "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" module that pertains to the configuration of IAM roles for OIDC (OpenID Connect) with GitHub Actions. Issue Description: The current implementation of the IAM role's trust relationship within the module uses an HTTP URL (http://token.actions.githubusercontent.com) in the token.actions.githubusercontent.com:iss condition. This configuration poses a security risk as the HTTP protocol is not encrypted, making it susceptible to man-in-the-middle attacks where an attacker could intercept or alter the communication. Security Risk: Using HTTP allows potential attackers to intercept the authentication tokens used between GitHub Actions and AWS, leading to unauthorized actions or access within AWS resources under certain conditions. The industry best practice is to use HTTPS to ensure the integrity and confidentiality of the communication between clients and servers. Suggested Fix: To mitigate this issue and enhance the security of the module, I recommend updating the URL in the trust policy from HTTP to HTTPS. Here is the updated snippet for your reference: json Copy code "Condition": { "StringEquals": { "token.actions.githubusercontent.com:aud": "sts.amazonaws.com", "token.actions.githubusercontent.com:iss": https://token.actions.githubusercontent.com } } Benefits of the Fix: Updating to HTTPS ensures that the communication between GitHub Actions and AWS IAM via the token issuer URL is secure and encrypted, thereby safeguarding against eavesdropping and tampering by malicious entities. I believe this change will significantly enhance the security of the module and its users, aligning it with best security practices and AWS recommendations. Thank you for considering this issue. I appreciate the work you have put into developing this useful module and am looking forward to the continued improvement that enhances its security and reliability. Please let me know if I can provide any further information or assistance.
antonbabenko
approved these changes
May 15, 2024
antonbabenko
changed the title
|
Just for the reference, there was a related comment in the past - cc44693#r113925291 |
antonbabenko
merged commit ecaed18
into
terraform-aws-modules:master
34 of 35 checks passed
antonbabenko
pushed a commit
that referenced
this pull request
May 15, 2024
## [5.39.1](v5.39.0...v5.39.1) (2024-05-15) ### Bug Fixes * Fixed trust condition in modules/iam-github-oidc-role to be https ([#490](#490)) ([ecaed18](ecaed18))
|
This PR is included in version 5.39.1 🎉 |
|
Thanks @devopserio for this small fix. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Correcting this to use HTTPS. Adding a pull request to remediate a potential security issue within the "terraform-aws-modules/iam/aws//modules/iam-github-oidc-role" module that pertains to the configuration of IAM roles for OIDC (OpenID Connect) with GitHub Actions.
Issue Description:
The current implementation of the IAM role's trust relationship within the module uses an HTTP URL (http://token.actions.githubusercontent.com) in the token.actions.githubusercontent.com:iss condition. This configuration poses a security risk as the HTTP protocol is not encrypted, making it susceptible to man-in-the-middle attacks where an attacker could intercept or alter the communication.
Security Risk:
Using HTTP allows potential attackers to intercept the authentication tokens used between GitHub Actions and AWS, leading to unauthorized actions or access within AWS resources under certain conditions. The industry best practice is to use HTTPS to ensure the integrity and confidentiality of the communication between clients and servers.
Suggested Fix:
To mitigate this issue and enhance the security of the module, I recommend updating the URL in the trust policy from HTTP to HTTPS. Here is the updated snippet for your reference:
json
Copy code
"Condition": {
"StringEquals": {
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com",
"token.actions.githubusercontent.com:iss": https://token.actions.githubusercontent.com
}
}
Benefits of the Fix:
Updating to HTTPS ensures that the communication between GitHub Actions and AWS IAM via the token issuer URL is secure and encrypted, thereby safeguarding against eavesdropping and tampering by malicious entities.
I believe this change will significantly enhance the security of the module and its users, aligning it with best security practices and AWS recommendations.
Thank you for considering this issue. I appreciate the work you have put into developing this useful module and am looking forward to the continued improvement that enhances its security and reliability. Please let me know if I can provide any further information or assistance.