‼️ NOTICE: CDK Pipelines creates role with overly permissive trust policy

[rix0rrr]

What is this about?

The AWS Cloud Development Kit (CDK) Team recently identified an issue with the CDK Pipelines construct library that may result in unintended permissions being granted to authenticated users in your account. As of April 4, 2023, we have fixed the issue in version 1.200.0 for CDK v1, and version 2.77.0 for CDK v2. We strongly recommend you upgrade to one of these versions as soon as possible. Please refer to the Managing Dependencies in the CDK Developer Guide for instructions on how to perform the upgrade.

What is the issue?

Starting with versions 1.158.0 and 2.26.0, released May 30, 2022, the library creates a role that allows every identity in the same account with sts:AssumeRole permissions on Resource: * to assume it. This may result in granting privileges to authenticated users in your account allowing them to take pipeline actions beyond what was intended.​

You can scan your CloudTrail log for sts:AssumeRole calls to the Role named <STACKNAME>-<PipelineConstructName>CodeBuildActionRole<RandomSuffix1>-<RandomSuffix2> in your CDK Pipeline account to determine if any unexpected access took place.

How do I know if I'm affected?

You are affected if you are using the pipelines.CodePipeline construct, and your version of:

• @aws-cdk/pipelines is between 1.158.0 and 1.199.0 (inclusive); OR
• aws-cdk-lib is between 2.26.0 and 2.76.0 (inclusive).

What should I do?

Please upgrade to the latest versions and redeploy your CDK pipelines.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[hatchetation]

Just in case anyone else is confused - at least one of the dates in this notice should read 2023, not 2022.

[rix0rrr]

Just in case anyone else is confused - at least one of the dates in this notice should read 2023, not 2022.

Doh! Thanks

[olimaryou]

Could you please make what was the issue clearer ?

The previous trust policy created by CDK was like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXX:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:ViaAWSService": "codepipeline.amazonaws.com"
                }
            }
        }
    ]
}

The issue is that the condition "aws:ViaAWSService": "codepipeline.amazonaws.com" is wrong, condition-keys-viaawsservice says that possible values of aws:ViaAWSService are true or false and not the name of the service. And I don't know for which reason IAM considers the condition "aws:ViaAWSService": "codepipeline.amazonaws.com" as true when other prinicpals in the accounts assume the role, thus making it open to anyone in the account who has an IAM pollicy allowing sts:AssumeRole for that role. Is IAM casting "codepipeline.amazonaws.com" as "false" as it was waiting for a boolean and it got non empty string ? I don't know.

Now you did the correction by removing that condition and you added the principal of the codepipeline role instead of *

Please, next time give more details and more transparency to what's happening and what was the problem ...