-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
aws-stepfunctions-tasks: Add IAM policy condition to the auto-generated IAM policy document #29944
Comments
Yes we should allow user to specify conditions in |
I just checked the doc here for the iam policies but I can't find any sample with the {
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"events:source": "<YOUR_STATE_MACHINE_ARN>"
}
},
"Action": "events:PutEvents",
"Resource": [
"arn:aws:events:us-east-1:XXXXXXXXXXXX:event-bus/default",
"arn:aws:events:us-east-1:XXXXXXXXXXXX:event-bus/MyEventBus1"
],
"Effect": "Allow"
}
]
} |
This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled. |
Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one. |
Describe the feature
We have been setting up a new AWS account that uses EventBridge with step functions. While using
EventBridgePutEvents
state to directly emit events from the state machines, we notice that it will automatically create an IAM policy withevents:putEvents
action and the specifiedeventBus
in props.In our setup we wanted to add an additional IAM policy condition on
events:source
key to ensure each state machine is allowed to act as that source. That's to have better integrity over who can put what events on the shared event bus.Use Case
Have control over the auto-generated IAM policies of step functions state constructs.
This ensures that even if the step functions object is tinkered with intentionally or unintentionally, it won't be able to emit events as any other source. As long as the IAM policy is restricting it.
This will allow us to monitor IAM policies, create verification aspects on them, etc.
Proposed Solution
Add an extra property in
EventBridgePutEventsProps
or even the parentTaskStateBaseProps
called conditions. Then when constructing the state, use can pass additional conditions if needed.Other Information
The alternative we have been using is doing this through a lambda function which has this policy configured manually. So it would be step functions has lambda:invoke policy, lambda as events:putEvents policy with the source condition.
Acknowledgements
CDK version used
2.133.0
Environment details (OS name and version, etc.)
The text was updated successfully, but these errors were encountered: