Apply PermissionBoundary to all bootstrap roles (for easier self-service bootstrapping under existing boundary) #284
Description
Describe the feature
PermissionBoundary is only applied to Cloudformation Execution Role when bootstrapping with option --custom-permission-boundary
cdk bootstrap --custom-permissions-boundary PermissionBoundaryThe following roles currently do not get the PermissionBoundary when the Bootstrap is done with the command above:
DeploymentActionRole
FilePublishingRole
ImagePublishingRole
LookupRole
Use Case
The organisation I work for has a PermissionBoundary that enforces all roles to also be created with the PermissionBoundary.
{
"Sid": "RestrictRoleCreation",
"Effect": "Deny",
"Action": [
"iam:CreateRole",
"iam:UpdateRole",
"iam:PutRolePermissionsBoundary"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"iam:PermissionsBoundary": [
"arn:aws:iam::*:policy/PermissionBoundary"
]
}
}
},Currently we have to bootstrap CDK using a custom bootstrap-template.yaml that applies the PermissionBoundary on all other roles.
But sometimes this causes issues if someone later on runs cdk bootstrap without the template, and resources are updated without PermissionBoundary again...
Proposed Solution
Add below code to all roles created by bootstrap-template.yaml
PermissionsBoundary:
Fn::If:
- PermissionsBoundarySet
- Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
- Ref: AWS::NoValueI can make a PR for this if needed.
Other Information
Currently bootstrap-template.yaml only applies the below code for attaching the PermissionBoundary on CloudFormationExecutionRole:
PermissionsBoundary:
Fn::If:
- PermissionsBoundarySet
- Fn::Sub: 'arn:${AWS::Partition}:iam::${AWS::AccountId}:policy/${InputPermissionsBoundary}'
- Ref: AWS::NoValueAcknowledgements
- I may be able to implement this feature request
- This feature might incur a breaking change
CDK version used
v2.114.0
Environment details (OS name and version, etc.)
Ubuntu