Skip to content

CDK Diff and Deploy do not include AWS::SSO::Assignment in security related changes #29835

Closed
Closed
CDK Diff and Deploy do not include AWS::SSO::Assignment in security related changes#29835
#30009 (+9)
Assignees
bergjaak
Labels
in-progressThis issue is being actively worked on.p1
@TheRealAmazonKendra

Description

@TheRealAmazonKendra
TheRealAmazonKendra
opened on Apr 15, 2024

Context

We received a report regarding diff not handling AWS::SSO::Assignment resource changes as we security related change. We currently handle two packages as security related in cloudformation-diff: iam and network. We should add similar logic for SSO.

I'm not actually positive whether we should call this a bug or a feature request because on closer inspection of our documentation for ConfirmPermissionsBroadening specifies Pause the pipeline if a deployment would add IAM permissions or Security Group rules. but the difference here is not super important. We should add this.

Task

Update diff to include these resource changes. As part of this task we should also check to see if any other security related libraries have been added since this was last updated (Organizations comes to mind) and check to see if any updates have been added within the known libraries that we may not be checking for already. If those are found, new tasks should be added for each of those.

Acceptance Criteria

  • AWS::SSO::Assignment resources are added to the list of security changes when cdk diff is run
  • A integ test is added/updated to include checking for these resources
  • New tasks are created for each other resource/library type that we find are not currently covered

Original Report

Summary

The documentation states: "To protect you against unintended changes that affect your security posture, the AWS CDK Toolkit prompts you to approve security-related changes before deploying them."

However, I noticed that new AWS::SSO::Assignment resources do not trigger the prompt thus allowing bypass of ConfirmPermissionsBroadening.

The changes are visible, as expected, when doing cdk diff
image

Details

AWS::SSO::Assignment is used with AWS IAM Identity Center which can be used to assign very wide range of permissions. It's important that this is also gated as documented.

PoC

// For each permission set, account and user/group combination, create a new CfnAssignment as defined in the configuration
        const permissionSetArn= getPermissionSetArn(props, permissionSetName);

        const groups = config[permissionSetName].Groups ?? [];
        const users = config[permissionSetName].Users ?? [];

        groups.forEach((group) => {
          new CfnAssignment(this, `Assignment-${account}-${permissionSetName}-${group}`, {
            instanceArn: props.ssoInstanceArn,
            permissionSetArn,
            principalId: groupIds[group].getResponseField('GroupId'),
            principalType: 'GROUP',
            targetId: account,
            targetType: 'AWS_ACCOUNT',
          });
        });
        
        users.forEach((user) => {
          new CfnAssignment(this, `Assignment-${account}-${permissionSetName}-${user}`, {
            instanceArn: props.ssoInstanceArn,
            permissionSetArn,
            principalId: userIds[user].getResponseField('UserId'),
            principalType: 'USER',
            targetId: account,
            targetType: 'AWS_ACCOUNT',
          });
        });

Metadata

Metadata

Assignees

Labels

in-progressThis issue is being actively worked on.p1

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions