(pipelines/bootstrap): add Permission Boundary to bootstrap resources

[rix0rrr]

The cdk bootstrap command will be able to be invoked as follows:

$ cdk bootstrap --permissions-boundary=arn:aws:iam::account-id:policy/policy-name-with-path

This sets the CloudFormation Execution Role up to enforce its use.

When users add:

{
  "context": {
    "@aws-cdk/core.permissionsBoundary": "arn:aws:iam::account-id:policy/policy-name-with-path"
  }
}

To their cdk.json, all Roles in all stacks will be provisioned with that permission boundary automatically.

---

This is a 🚀 Feature Request

[redbaron]

Could you provide an example of Control Plane and Data plane calls?

[rix0rrr]

Could you provide an example of Control Plane and Data plane calls?

Sure. Control Plane calls are (typically) calls that configure services, while Data Plane calls are calls that use services.

Some examples:

Service	Control Plane	Data Plane
S3	CreateBucket, PutBucketPolicy	PutObject, GetObject
SQS	CreateQueue, PutQueuePolicy	SendMessage, ReceiveMessages, DeleteMessage
DDB	CreateTable, TagResource, UpdateTable	PutItem, Scan, Query

Some calls might be debatable. For example, ListBuckets could be considered a Control Plane call but it might equally well be considered a Data Plane call.

At the same time, it's reasonable to think that it's fine for applications to create some resources as part of their normal operation, like perhaps creating SQS Queues and SNS Topics on-demand, so it's not entirely cut-and-dry what calls should be allowed and disallowed for execution roles. But these are details that can be worked out; the bigger question is whether the whole scheme would have value to it in the first place.

[hoegertn]

One thing that comes to my mind is: How would I deploy Lambda functions with ops tasks using CDK if all roles are denied control plane access.

I am not sure this approach is really helpful or if it is a form of snake oil.

The main entry point for any attacker is still the repository itself and there is no way to mitigate this completely. So we need to make sure safeguards are in place here.

[Wenzil]

@hoegertn you still want to limit the damage if there is a breach

@rix0rrr I think this is a great option to have. We are anyway going with a similar approach using our custom bootstrap template. +1 for providing more secure defaults