When I deploy a CDK stack - it creates several roles, both explicitly eg via iam.Role
construct, and implicitly eg when roles are created internally by Level 2 constructs.
Is there a way to attach an existing permission boundary to all the roles being created by the stack - both explicit and implicit?
Yes, through aspects .
You can add the following in bin/app.ts
(the file might be named differently):
class ConfigurePermissionBoundary implements IAspect {
visit(node: IConstruct): void {
if (node instanceof CfnRole) {
const stack1 = Stack.of(node);
let policy = stack1.node.tryFindChild('GlobalPermissionBoundaryPolicy') as ManagedPolicy | undefined
if (!policy) {
policy = new ManagedPolicy(stack1, 'GlobalPermissionBoundaryPolicy', {
statements: [new PolicyStatement({
effect: Effect.DENY,
actions: ['sts:*'],
resources: ['*']
})]
})
}
node.permissionsBoundary = policy.managedPolicyArn
}
}
}
Aspects.of(app).add(new ConfigurePermissionBoundary())
Please note that we're adding a managed policy GlobalPermissionBoundaryPolicy
that defines the permission boundary once. Also, the aspect handles both new iam.Role()
as well as any new CfnRole()
defined by your or library code.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.