Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

RFC: missing security-impacting changes from cdk diff "scrutiny report"

See original GitHub issue

How's our driving?

Summary

CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you’re making changes that are potentially security-sensitive. You will see a prompt that looks like this:

This deployment will make potentially sensitive changes.
Please confirm you intend to make the following modifications:

IAM Statement Changes
┌───┬─────────────────────────┬────────┬───────────────────────┬──────────────────────────────┬─────────────────────────────────┐
│   │ Resource                │ Effect │ Action                │ Principal                    │ Condition                       │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo}                 │ Allow  │ lambda:InvokeFunction │ Service:sns.amazonaws.com    │ "ArnLike": {                    │
│   │                         │        │                       │                              │   "AWS:SourceArn": "${MyTopic}" │
│   │                         │        │                       │                              │ }                               │
├───┼─────────────────────────┼────────┼───────────────────────┼──────────────────────────────┼─────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ Allow  │ sts:AssumeRole        │ Service:lambda.amazonaws.com │                                 │
└───┴─────────────────────────┴────────┴───────────────────────┴──────────────────────────────┴─────────────────────────────────┘
IAM Policy Changes
┌───┬─────────────────────────┬────────────────────────────────────────────────────────────────────────────────┐
│   │ Resource                │ Managed Policy ARN                                                             │
├───┼─────────────────────────┼────────────────────────────────────────────────────────────────────────────────┤
│ + │ ${Echo/ServiceRole.Arn} │ arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole │
└───┴─────────────────────────┴────────────────────────────────────────────────────────────────────────────────┘

Do you wish to deploy these changes (y/n)?

Request for comments

Please use this GitHub issue to let us know how this feature is working out for you. Is the diff correct? Is CDK identifying the right changes? Anything else you’d like to tell us?

Issue Analytics

State:
Created 5 years ago
Reactions:29
Comments:13 (5 by maintainers)

Top GitHub Comments

28reactions

davidbarskycommented, May 20, 2019

@insanitybit cdk deploy --require-approval=never might resolve your issue.

3reactions

emanseravcommented, Oct 29, 2019

“CDK libraries you depend on may affect your security posture. In order to increase confidence in stacks generated the CDK, we will attempt to identify when you’re making changes that are potentially security-sensitive. You will see a prompt that looks like this:”

My concern is more general than security related ( I am thinking to ask here 1st, maybe I am missing something ): I’ve just noticed that cdk diff is not displaying the ChangeSet in the AWS CF Console. Why ? Any reason for that ? ( seeing the ChangeSet in AWS CF Console history is too late with cdk deploy)

I like seeing the changes in console using cdk diff but they should be identical to what I should be visualising in AWS CF ChangeSet before applying them. Are they identical ?

oups - just noticed this has been closed …