aws-codepipeline: trusted entities are too broad #33709
Description
Describe the bug
When using the CodePipeline v2 construct, some underlying roles are created. Two of these roles have overly broad trust policies (which are also reported by Snyk as a High vulnerability).
The following roles are created (in an example project):
-
CdkPipelineInvestigationS-PipelineBuildSynthCdkBuil-xxx --> ok
-
CdkPipelineInvestigationS-PipelineCodeBuildActionRo-xxx --> ok
-
CdkPipelineInvestigationS-PipelineProdPromoteToProd-xxx --> Not Ok: can be assumed by the entire account (but no permissions)
-
CdkPipelineInvestigationS-PipelineSourceYYY-xxx --> Not Ok: can be assumed by the entire account
-
CdkPipelineInvestigationS-PipelineUpdatePipelineSel-xxx --> ok
-
CdkPipelineInvestigationStack-PipelineRoleB27FAA37-xxx --> ok
Regression Issue
- Select this option if this issue appears to be a regression.
Last Known Working CDK Version
2.181.1
Expected Behavior
The roles should be more restricted (like the other 4 roles). E.g. can only be assumed by a certain role arn or service within this account.
Current Behavior
Anyone within the account can assume those roles. For the CdkPipelineInvestigationS-PipelineSourceYYY-xxx role that means that others can use the KMS key or put objects in the artifacts bucket.
Reproduction Steps
Example stack that creates the roles:
import {
Cache,
ComputeType,
LinuxArmBuildImage,
LocalCacheMode,
} from 'aws-cdk-lib/aws-codebuild';
import {
CodePipeline,
CodePipelineSource,
ManualApprovalStep,
ShellStep,
} from 'aws-cdk-lib/pipelines';
import { Queue } from 'aws-cdk-lib/aws-sqs';
import * as cdk from 'aws-cdk-lib';
import { Construct } from 'constructs';
export class CdkPipelineInvestigationStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
const pipelineSource = CodePipelineSource.connection(
'Org/src',
'master',
{
connectionArn: 'arn:aws:codestar-connections:us-east-1:123456789012:connection/12345678-1234-1234-1234-123456789012',
codeBuildCloneOutput: true,
},
);
const codePipeline = new CodePipeline(this, 'Pipeline', {
pipelineName: 'pipeline-name',
useChangeSets: false,
crossAccountKeys: false,
synth: new ShellStep('Synth', {
input: pipelineSource,
commands: [
'npm ci && npm run build',
],
}),
dockerEnabledForSynth: true,
codeBuildDefaults: {
buildEnvironment: {
buildImage: LinuxArmBuildImage.AMAZON_LINUX_2_STANDARD_3_0,
computeType: ComputeType.SMALL,
},
cache: Cache.local(LocalCacheMode.DOCKER_LAYER),
},
});
class ProdStage extends cdk.Stage {
constructor(scope: Construct, id: string, props?: cdk.StageProps) {
super(scope, id, props);
new ProdStack(this, 'ProdStack', {
env: props?.env
});
}
}
class ProdStack extends cdk.Stack {
constructor(scope: Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
new Queue(this, 'MyQueue', {
queueName: 'prod-queue',
visibilityTimeout: cdk.Duration.seconds(300)
});
}
}
codePipeline.addStage(new ProdStage(this, 'Prod'), {
pre: [
new ManualApprovalStep('PromoteToProd')
]
});
}
}Deploy this stack and check the roles.
Possible Solution
Restrict the trust relationship of the two remaining roles
Additional Information/Context
No response
CDK CLI Version
2.1001.0 (build 130445d)
Framework Version
No response
Node.js Version
v22.14.0
OS
macOS
Language
TypeScript
Language Version
5.8.2