aws-cdk: RFC: missing security-impacting changes from cdk diff "scrutiny report"

How's our driving?

Summary

CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you’re making changes that are potentially security-sensitive. You will see a prompt that looks like this:

This deployment will make potentially sensitive changes.
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────────────┬────────┬───────────────────────┬──────────────────────────────┬─────────────────────────────────┐
│   │ Resource                │ Effect │ Action                │ Principal                    │ Condition                       │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo}                 │ Allow  │ lambda:InvokeFunction │ Service:sns.amazonaws.com    │ "ArnLike": {                    │
│   │                         │        │                       │                              │   "AWS:SourceArn": "${MyTopic}" │
│   │                         │        │                       │                              │ }                               │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ Allow  │ sts:AssumeRole        │ Service:lambda.amazonaws.com │                                 │
└───┴─────────────────────────┴────────┴───────────────────────┴──────────────────────────────┴─────────────────────────────────┘
IAM Policy Changes
┌───┬─────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                │ Managed Policy ARN                                                             │
├───┼─────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴─────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘

Do you wish to deploy these changes (y/n)?

Request for comments

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you’d like to tell us?

About this issue

Original URL
State: closed
Created 6 years ago
Reactions: 33
Comments: 17 (5 by maintainers)

Commits related to this issue

Creating a Lambda Function To deploy a lambda, we have to set up CDK code to deploy a function and also write Rust code handle events. First in `lib/infra-stack.js`, add `aws_lambda` to the destruct... — committed to rust-adventure/building-a-dynamodb-powered-pokemon-api-with-cdk by ChristopherBiscardi 2 years ago
Exposing a Lambda on an http URL We have a lambda running but it’s only accessible via the `aws cli lambda invoke` command. To be able to access it on a URL, we need to use another AWS service: API ... — committed to rust-adventure/building-a-dynamodb-powered-pokemon-api-with-cdk by ChristopherBiscardi 2 years ago
Connecting to DynamoDB from a Lambda Function To connect to DynamoDB we have to set up the code in our Rust function to do so, and also *allow* it to do so from our CDK code. By default our function ... — committed to rust-adventure/building-a-dynamodb-powered-pokemon-api-with-cdk by ChristopherBiscardi 2 years ago
feat: Define infrastructure with CDK! We are _not_ adopting the YAML template here because: - The YAML template uses the AWS Serverless Transform, which doesn't map to CDK very easily - The stack... — committed to guardian/cloudwatch-logs-management by akash1810 2 years ago
feat: Define infrastructure with CDK! We are _not_ adopting the YAML template here because: - The YAML template uses the AWS Serverless Transform, which doesn't map to CDK very easily - The stack... — committed to guardian/cloudwatch-logs-management by akash1810 2 years ago
feat(cdk): Enable local CFN stack diffing It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack. This change allows us to run: ```bash npm -w cdk run ... — committed to guardian/service-catalogue by akash1810 5 months ago
feat(cdk): Enable local CFN stack diffing It is sometimes useful to see the delta between the current branch and the CODE CloudFormation stack. This change allows us to run: ```bash npm -w cdk run ... — committed to guardian/service-catalogue by akash1810 5 months ago
Stop printing note about https://github.com/aws/aws-cdk/issues/1299. — committed to mawallace/aws-cdk by mawallace 3 months ago

Most upvoted comments

@insanitybit cdk deploy --require-approval=never might resolve your issue.

+39

davidbarsky on May 20, 2019

CDK Deploy gives a warning that implies there are known issues preventing IAM policy diffs from showing up in the confirmation prompt, and directs users to read this issue for more information.

However, this issue reads like you know there is an issue, but you don’t know what it is. There is no information on this page.

Why is it necessary for developers to consult this page on every deployment? It seems unnecessary. Should I assume that all similar warnings from the CDK are equally irrelevant? Please consider what action you are requesting from developers when they deploy, and then reword the known issue warning to make it clear, or remove it if there is no action required from developers.

+35

nerdile on Jun 30, 2023

Is this still relevant? I am seeing this issue linked in cdk deploy prompt and I am using 2.129.0. Could you please remove this warning message if its not relevant anymore. It creating confusion

nilroy on Mar 16, 2024

yeah please remove the warning if its not relevant, PLEASE

selsAT on Feb 15, 2023

“CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you’re making changes that are potentially security-sensitive. You will see a prompt that looks like this:”

My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ): I’ve just noticed that cdk diff is not displaying the ChangeSet in the AWS CF Console. Why ? Any reason for that ? ( seeing the ChangeSet in AWS CF Console history is too late with cdk deploy)

I like seeing the changes in console using cdk diff but they should be identical to what I should be visualising in AWS CF ChangeSet before applying them. Are they identical ?

oups - just noticed this has been closed …

emanserav on Oct 29, 2019

Is this still an issue? I’m always seeing the warning, but not sure if it’s kept updated. I’m using: ├── aws-cdk-lib@2.64.0 ├── aws-cdk@2.64.0

jorgemaroto-eb on Feb 9, 2023

Resolving, as I think @insanitybit got the info they needed, feel free to re-open if not.

skinny85 on May 22, 2019

I receive this message… (NOTE: There may be security-related changes not in this list. See https://github.com/aws/aws-cdk/issues/1299)

I’m unsure why the message is showing up. The diff shows me IAM changes and security group changes. Is that the reason it’s showing up? It claims that there may be security related changes not in the list, but I don’t know what that means. Could the message just tell me what other security related changes there are?

TrentonAdams on Dec 4, 2022

Bug reported as #8683

Thanks!

skinny85 on Jun 22, 2020

Bug reported as https://github.com/aws/aws-cdk/issues/8683

gmiretti on Jun 22, 2020

It is not @gmiretti … would you mind opening us a separate issue about this?

skinny85 on Jun 22, 2020

Still relevant.

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you’d like to tell us?

Although the issue is closed, the conversation is not locked.

shivlaks on May 4, 2020