Skip to content

Fix CRLY.01176: Constrain IAM Write Access #43

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix CRLY.01176: Constrain IAM Write Access #43

wants to merge 1 commit into from

Conversation

curly-review[bot]
Copy link

@curly-review curly-review bot commented May 1, 2025

Issue Details

ID: CRLY.01176
Severity: HIGH
File: pipeline/cfn-deploypipeline-s3.yaml

Remediation Summary

Description

The IAM policy associated with the PipelineExecutionRole allows write access without constraints, which is a security risk. This policy should be updated to ensure that write access is constrained appropriately.

Steps

  1. Identify the IAM Policy: Locate the IAM policy attached to the PipelineExecutionRole in the cfn-deploypipeline-s3.yaml file.

  2. Modify the IAM Policy: Update the IAM policy to constrain write access. Specifically, remove or modify the Effect: Allow statement with Resource: '*' to ensure it only allows write access to specific resources.

  3. Update the CloudFormation Template: Modify the cfn-deploypipeline-s3.yaml file to include the updated IAM policy.

Here is an example of how you can update the IAM policy:

PipelineExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Action:
            - 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service:
              - codepipeline.amazonaws.com
    Path: /
    ManagedPolicyArns:
      - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
      - !Ref CFNPipelinePolicy
    Policies:
      - PolicyName: CodePipelineAccess
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Action:
                - 'iam:PassRole'
                - 'lambda:InvokeFunction'
                - 'lambda:ListFunctions'
                - 'lambda:InvokeAsync'
              Effect: Allow
              Resource: 
                - arn:aws:s3:::my-bucket
                - arn:aws:lambda:*:*:function:my-function

In this example, replace arn:aws:s3:::my-bucket and arn:aws:lambda:*:*:function:my-function with the actual resource ARNs that should have access.

  1. Deploy the Updated Template: Use the AWS CLI or SDK to deploy the updated CloudFormation template.
aws cloudformation deploy --template-file pipeline/cfn-deploypipeline-s3.yaml --stack-name my-pipeline-stack --capabilities CAPABILITY_NAMED_IAM

By following these steps, you will ensure that the IAM policy does not allow write access without constraints, thereby improving the security of your AWS environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants