Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bootstrapping: Security Hub Findings incorrectly refer to Sid: PipelineCrossAccountArtifactsBucket #28924

Closed
FarrOut opened this issue Jan 30, 2024 · 4 comments
Closed

Bootstrapping: Security Hub Findings incorrectly refer to Sid: PipelineCrossAccountArtifactsBucket #28924

FarrOut opened this issue Jan 30, 2024 · 4 comments
Assignees
@vinayak-kukreja
Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/core Related to core CDK functionality bug This issue is a bug. documentation This is a problem with documentation. effort/medium Medium work item – several days of effort investigating This issue is being investigated and/or work is in progress to resolve the issue. p1

Comments

@FarrOut
Copy link

FarrOut commented Jan 30, 2024

Describe the issue

Overview

The Concepts > Bootstrapping page of the Dev guide has a section on Security Hub Findings. This sections makes an incorrect reference to a policy statement in the deployment role (cdk-hnb659fds-deploy-role-ACCOUNT-REGION).

Example

Under the paragraph starting with What if I want to fix this finding?

If you are not using AWS CDK Pipelines for cross-account deployments: remove the statement with Sid: PipelineCrossAccountArtifactsBucket from the deploy role; or

If you are using AWS CDK Pipelines for cross-account deployments: after deploying your AWS CDK Pipeline, look up the AWS KMS Key ARN of the Artifact Bucket and replace the Resource: * of the Sid: PipelineCrossAccountArtifactsBucket statement with the actual Key ARN.

Problem

Sid: PipelineCrossAccountArtifactsBucket

Confirmed by inspecting deployment role....generated by CDK version 2.124.0 (build 4b6724c)

        {
            "Condition": {
                "StringEquals": {
                    "kms:ViaService": "s3.us-west-1.amazonaws.com"
                }
            },
            "Action": [
                "kms:Decrypt",
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey*"
            ],
            "Resource": "*",
            "Effect": "Allow",
            "Sid": "PipelineCrossAccountArtifactsKey"
        },

Proposed Correction

Security Hub Findings should refer to ...Sid: PipelineCrossAccountArtifactsKey

Links

Security Hub Findings
@FarrOut FarrOut added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Jan 30, 2024
@github-actions github-actions bot added the @aws-cdk/aws-iam Related to AWS Identity and Access Management label Jan 30, 2024
@pahud
Copy link
Contributor

pahud commented Jan 30, 2024

Thanks for report. Let me double check with the team.

@pahud pahud added p2 effort/medium Medium work item – several days of effort p1 investigating This issue is being investigated and/or work is in progress to resolve the issue. and removed p2 needs-triage This issue or PR still needs to be triaged. labels Jan 30, 2024
@pahud pahud self-assigned this Jan 30, 2024
@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
@pahud pahud added @aws-cdk/core Related to core CDK functionality bug This issue is a bug. labels Mar 14, 2024
@pahud pahud removed their assignment Mar 14, 2024
@vinayak-kukreja
Copy link
Contributor

vinayak-kukreja commented Mar 15, 2024
edited
Loading

Thank you for the report.

I believe if CDK Pipelines are not being used for cross account deployments, then we should delete both PipelineCrossAccountArtifactsKey and PipelineCrossAccountArtifactsBucket from the template.

And, we should also update it to PipelineCrossAccountArtifactsKey instead of PipelineCrossAccountArtifactsBucket in the scenario we are utilizing CDK Pipelines for cross account deployments.

We can update documentation related to this.

@vinayak-kukreja vinayak-kukreja self-assigned this Apr 17, 2024
@vinayak-kukreja
Copy link
Contributor

Hey thank you for letting us know about this issue.

The documentation has now been updated: https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-securityhub

@github-actions GitHub Actions
Copy link

github-actions bot commented May 3, 2024

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vinayak-kukreja vinayak-kukreja

Labels
@aws-cdk/aws-iam Related to AWS Identity and Access Management @aws-cdk/core Related to core CDK functionality bug This issue is a bug. documentation This is a problem with documentation. effort/medium Medium work item – several days of effort investigating This issue is being investigated and/or work is in progress to resolve the issue. p1
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @FarrOut @vinayak-kukreja