Skip to content

Fix CRLY.01173: Constrain IAM Permissions Management #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix CRLY.01173: Constrain IAM Permissions Management #44

wants to merge 1 commit into from

Conversation

curly-review[bot]
Copy link

@curly-review curly-review bot commented May 1, 2025

Issue Details

ID: CRLY.01173
Severity: MEDIUM
File: pipeline/cfn-deploypipeline-s3.yaml

Remediation Summary

Description

The IAM policy associated with the PipelineExecutionRole allows permissions management without constraints, which can lead to security risks. Specifically, the policy allows actions such as iam:PassRole, lambda:InvokeFunction, lambda:ListFunctions, and lambda:InvokeAsyc with a resource of *, which means any resource.

Steps

  1. Update the IAM Policy: Modify the IAM policy to restrict permissions management by specifying more precise resource constraints.

  2. Use IAM Policy Conditions: Add conditions to the IAM policy to ensure that permissions are only granted under specific circumstances.

Here is an example of how to update the IAM policy in the YAML file:

PipelineExecutionRole:
  Type: AWS::IAM::Role
  Properties:
    AssumeRolePolicyDocument:
      Version: '2012-10-17'
      Statement:
        - Action:
            - 'sts:AssumeRole'
          Effect: Allow
          Principal:
            Service:
              - codepipeline.amazonaws.com
    Path: /
    ManagedPolicyArns:
      - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
      - !Ref CFNPipelinePolicy
    Policies:
      - PolicyName: CodePipelineAccess
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Action:
                - 'iam:PassRole'
                - 'lambda:InvokeFunction'
                - 'lambda:ListFunctions'
                - 'lambda:InvokeAsync'
              Effect: Allow
              Resource: 
                - arn:aws:lambda:REGION:ACCOUNT_ID:function:FUNCTION_NAME
              Condition:
                StringEquals:
                  aws:ResourceAccount: ACCOUNT_ID

Replace REGION, ACCOUNT_ID, and FUNCTION_NAME with the appropriate values for your use case.

  1. Deploy the Updated Template: After updating the IAM policy, redeploy the CloudFormation template using your preferred CI/CD tool or script.
aws cloudformation deploy --template-file pipeline/cfn-deploypipeline-s3.yaml --stack-name YOUR_STACK_NAME --capabilities CAPABILITY_NAMED_IAM

Replace YOUR_STACK_NAME and CAPABILITY_NAMED_IAM with the appropriate values for your stack and capabilities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants