pipelines: Creates role with too-broad trust policies #27659
Description
Describe the bug
CDK pipelines appears to provision a role for each action performed by the pipeline. It appears that the role assigned to the pipeline itself is supposed to assume these roles, however several of them contain trust policies like the following:
{
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:root"
},
"Action": "sts:AssumeRole"
}
]
}
Rather than explicitly specifying the role that is supposed to be trusted, it trusts every role in the account. This is a clear vulnerability that allows other principals in the account potentially inappropriate access to actions performed by the pipeline.
A very similar vulnerability was fixed in cdk v2.77.0 ( #25316 ), but it appears not all roles deployed by the pipeline were fixed. Specifically, as of v2.102.0 roles related to the pipeline source action, the Codebuilds handling file assets, and the deployment stage are all still affected.
Expected Behavior
All roles deployed by pipelines should follow the least privilege principle with respect to their trust policies.
Current Behavior
Currently several of the trust policies grant broad access to other roles in the account.
Reproduction Steps
Examine the rendered Cloudformation template from a stack deploying CDK pipelines, or run it through a static code analysis tool (Snyk flags this vulnerability as high severity).
Possible Solution
Change all roles deployed by CDK pipelines to trust only the principal intended to assume them.
Additional Information/Context
The interface for CDK pipelines does not seem to expose these roles directly, but rather allows for custom permissions policies to be attached. Since this issue affects the trust policies there does not seem to be any OotB workaround using custom roles.
CDK CLI Version
2.102.0
Framework Version
No response
Node.js Version
18.16.1
OS
Ubuntu 22.04
Language
Python
Language Version
No response
Other information
No response