feat(aws-stepfunctions-tasks): scope batch SubmitJob IAM to specific resources#37601
Open
Sagargupta16 wants to merge 1 commit intoaws:mainfrom
Open
feat(aws-stepfunctions-tasks): scope batch SubmitJob IAM to specific resources#37601Sagargupta16 wants to merge 1 commit intoaws:mainfrom
Sagargupta16 wants to merge 1 commit intoaws:mainfrom
Conversation
…job definition Scope the batch:SubmitJob IAM policy to the specific job definition and job queue ARNs instead of granting access to all job definitions (job-definition/*). This follows least-privilege principles. When jobDefinitionArn or jobQueueArn is a JsonPath/JSONata expression, fall back to wildcard resource since the ARN is unknown at synth time. Fixes aws#37214
Sagargupta16
had a problem deploying
to
automation
GitHub Actions
Failure
github-actions
bot
added
beginning-contributor
Sagargupta16
had a problem deploying
to
automation
GitHub Actions
Failure
aws-cdk-automation
added
the
pr/needs-further-review
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
had a problem deploying
to
automation
GitHub Actions
Failure
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue # (if applicable)
Closes #37214.
Reason for this change
The
BatchSubmitJobtask currently grantsbatch:SubmitJobwithResource: *, allowing the state machine execution role to submit jobs to any job definition and queue in the account. This violates the principle of least privilege.Description of changes
Modified
configurePolicyStatements()insubmit-job.tsto scope the IAM policyResourceto the specific job definition ARN and job queue ARN when they are concrete values (not JsonPath/JSONata expressions).When either
jobDefinitionArnorjobQueueArnis a dynamic expression (JsonPath/JSONata), we fall back toResource: *since the actual ARN is only known at runtime.The existing
isJsonPathOrJsonataExpression()utility (already used elsewhere in the codebase) is used to detect dynamic values.Describe any new or updated permissions being added
The
batch:SubmitJobpermission is now scoped to specific resources instead of*:Resource: [jobDefinitionArn, jobQueueArn]when both are concrete ARNsResource: *when either is a JsonPath/JSONata expression (unchanged behavior)Description of how you validated changes
Added two unit tests:
scopes IAM policy to specific job definition and job queue- verifies the Resource array contains the specific job definition ref and job queue ARN when concrete values are provideduses wildcard resource when jobDefinitionArn is a JsonPath expression- verifies Resource remains*when dynamic expressions are usedChecklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license