-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-kms: Key.grant*
methods misidentify Key region when enclosing Stack is different region; leads to wildcard resource ARNs
#29308
Comments
Thank you for the detailed report. We'll look into this for further investigation. |
Thanks for the report. I can reproduce this issue and will work on a PR to fix it. |
…ck is different region (#29315) ### Issue # (if applicable) Closes #29308 ### Reason for this change This problem is grant() determines the region of a Key using Stack.of(key).region, however the enclosing Stack's region may differ to that of the actual resource. When this happens, the IAM policy generated allows a `*` resource which is against the least privilege rule. ### Description of changes KMS key already has `env` value on account and region, use this first. If not exist, use stack account and region. ### Description of how you validated changes New unit test ### Checklist - [X] My code adheres to the [CONTRIBUTING GUIDE](https:/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https:/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* --------- Co-authored-by: paulhcsun <[email protected]>
|
Describe the bug
This is a possible cause of #23991.
This problem is
grant()
determines the region of aKey
usingStack.of(key).region
, however the enclosingStack
's region may differ to that of the actual resource.aws-cdk/packages/aws-cdk-lib/aws-kms/lib/key.ts
Lines 259 to 266 in 8d07b85
One example of where these differ is when the
Key
was imported as a replicaKey within a Global DynamoDBTableV2
- in these contexts, resources under several regions must be scoped under a single-regionStack
.In the below example, we attempt to grant an
eu-north-1
key (via it's attached table replica) to aneu-north-1
IAM role. However, since the former was managed under aus-west-2
stack, we see the behaviour for when regions mismatch.Expected Behavior
For the above example, we expect the
Resource
in the statement to resolve to one ARN:Current Behavior
Instead, the
Resource
field is a wild-card"*"
- this is overly permissive.Reproduction Steps
A short, less practical reproduction.
Possible Solution
Resources provided an
env
property which can be used instead ofStack.region
: https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_apigateway.IResource.html#env .Key.fromKeyArn
already sets this appropriately:aws-cdk/packages/aws-cdk-lib/aws-kms/lib/key.ts
Line 554 in 8d07b85
Additional Information/Context
No response
CDK CLI Version
2.106.0
Framework Version
No response
Node.js Version
v18.16.0
OS
Amazon Linux 2
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: