IAM permission boundaries

This was originally about EKS, but we think there’s a general use case here to be able to specify an IAM permission boundary at the stack level and perhaps generally have Stack-level control over IAM roles/policies created within a stack.

See thread below.

When creating the cluster using “@aws-cdk/aws-eks” module, the CloudFormation template is generated with implicit lambda function. This lambda function is executing a python script for cluster creation. A lambda service role is also created. However, when permission boundary is enforced in AWS account, creation of lambda service role fails, as permission boundary will not be attached implicitly.

Provide an option to specify these roles explicitly.

Use Case

In some AWS tenancies, permission boundary can be enforced when creation any IAM roles. With this, implicit IAM roles cannot be created as they will not be attached with permission boundary.

In such AWS account, creation of EKS cluster using CDK fails as the lambda service role which is generated by CDK is not associated with permission boundary.

Proposed Solution

Specify permission boundary to be attached to implicit IAM roles that CDK creates

new eks.Cluster(this, "hello-eks", {
      clusterName: "test-eks-cdk",
      permissionBoundary: <ARN-OF-PERMISSION-BOUNDARY>
}

The permission boundary defined, will get assigned to the lambda IAM role.