Add permission boundaries to the stack
Question
When I deploy a CDK stack - it creates several roles, both explicitly eg via iam.Role construct, and implicitly eg when roles are created internally by Level 2 constructs.
Is there a way to attach an existing permission boundary to all the roles being created by the stack - both explicit and implicit?
1 answers
solution1
1 ACCPTED 2022-07-17 07:31:23
Yes, through aspects .
You can add the following in bin/app.ts (the file might be named differently):
class ConfigurePermissionBoundary implements IAspect {
visit(node: IConstruct): void {
if (node instanceof CfnRole) {
const stack1 = Stack.of(node);
let policy = stack1.node.tryFindChild('GlobalPermissionBoundaryPolicy') as ManagedPolicy | undefined
if (!policy) {
policy = new ManagedPolicy(stack1, 'GlobalPermissionBoundaryPolicy', {
statements: [new PolicyStatement({
effect: Effect.DENY,
actions: ['sts:*'],
resources: ['*']
})]
})
}
node.permissionsBoundary = policy.managedPolicyArn
}
}
}
Aspects.of(app).add(new ConfigurePermissionBoundary())
Please note that we're adding a managed policy GlobalPermissionBoundaryPolicy that defines the permission boundary once. Also, the aspect handles both new iam.Role() as well as any new CfnRole() defined by your or library code.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.