RFC: missing security-impacting changes from cdk diff "scrutiny report"

[rix0rrr]

Summary

CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you're making changes that are potentially security-sensitive. You will see a prompt that looks like this:

This deployment will make potentially sensitive changes.
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────────────┬────────┬───────────────────────┬──────────────────────────────┬─────────────────────────────────┐
│   │ Resource                │ Effect │ Action                │ Principal                    │ Condition                       │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo}                 │ Allow  │ lambda:InvokeFunction │ Service:sns.amazonaws.com    │ "ArnLike": {                    │
│   │                         │        │                       │                              │   "AWS:SourceArn": "${MyTopic}" │
│   │                         │        │                       │                              │ }                               │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ Allow  │ sts:AssumeRole        │ Service:lambda.amazonaws.com │                                 │
└───┴─────────────────────────┴────────┴───────────────────────┴──────────────────────────────┴─────────────────────────────────┘
IAM Policy Changes
┌───┬─────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                │ Managed Policy ARN                                                             │
├───┼─────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴─────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘

Do you wish to deploy these changes (y/n)? 

Request for comments

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you'd like to tell us?

[rix0rrr]

Here's a known list of resources that are not currently included in the diff:

• AWS::IAM::User
• Network ACLs

[insanitybit]

I like this in principal, but is there a way to opt out? Sometimes I'm working on a dev setup, and it takes ~15-20 minutes to run all of my cdk deployments. Having to sit there and hit 'y' is actually quite a pain, and really slows me down. If I could run the deployment script I have and walk away from the computer, it would be great.

A flag like --accept-scrutiny-report would be really helpful for me.

[davidbarsky]

@insanitybit cdk deploy --require-approval=never might resolve your issue.

[insanitybit]

That looks like it'd be exactly what I want, thanks.

[skinny85]

Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not.