Using the C# CDK library, I’m building various IAM roles that are used to limit permissions for my CI/CD pipelines to deploy Elastic Beanstalk applications. Right now, I set the Resources
property of my PolicyStatementProps
object to ["*"]
, but this is far too permissive.
Using the AWSServiceRoleForElasticBeanstalk
managed policy as an example to go by, I see they add ARNs like the following:
"arn:aws:cloudformation:*:*:stack/awseb-*"
I imagine I’ll want something like this for my custom IAM role, but I’m not sure how to build these resource ARNs using the CDK. I feel like this shouldn’t be just a hard-coded string due to the dynamic and variable nature of the infrastructure itself, but I don’t have the experience to know for sure.
I do know that I want to limit the ARN to only specific accounts (which is *
in the example above, instead of a real account ID). Wildcards are probably appropriate to keep it simple, especially if there’s no way to use the EB-specific objects in my CDK code to obtain the resource ARNs to attach to my role’s inline policy automatically.
What is the best and most idiomatic method of setting up the resource ARNs in my custom IAM role?
2
Answers
Applying least-privilege permissions is a fundamental AWS security best practice. What counts as "least privilege" depends on the context. Sometimes
"*"
is the least-privilege option, often it is not.The CDK helps with permissions in several ways:
tableArn
property can be passed around in your code. The CDK converts the property to a reference that CloudFormation resolves at deploy-time.AwsSolutionsChecks
construct to your app. It checks your template against a set of standard rules. Some of the default rules are relevant to IAM permissions. For instance,cdk-nag
will complain if you use an AWS managed policy or if your policies include wildcards.According to Amazon resource name format for Elastic Beanstalk, if you need to build the application ARN, you can use Stack.formatArn, e.g.
You get the Output:
arn:aws:elasticbeanstalk:us-east-1:<deducted>:application:AppName