‼️ NOTICE: eks overly permissive trust policies #25674
Labels
@aws-cdk/aws-eks
Related to Amazon Elastic Kubernetes Service
management/tracking
Issues that track a subject or multiple issues
p0
Comments
iliapolo
added
management/tracking
|
mergify bot
pushed a commit
to cdklabs/aws-cdk-notices
that referenced
this issue
May 23, 2023
Since there are two separate problems, introduced in two separate commits, issue two notices based on the affeceted versions. Note that we have no way of knowing if customers are actually impacted by the default masters role because we don't know if they pass the `mastersRole` property or not.
|
Documentation is not updated after this. It still says mastersRole is created by default. |
@storyalex thanks! will update promptly 👍 |
1 task
xiehan
added a commit
to hashicorp/cdktf-aws-cdk
that referenced
this issue
Aug 25, 2023
Because of a security vulnerability in `aws-cdk-lib` prior to version 2.80.0, we are increasing the minimum required version to v2.80. See GHSA-rx28-r23p-2qc3 for the full CVE and impacts. > ### Who is affected? > #### MastersRole > Users with CDK version higher or equal to [1.57.0](https://github.com/aws/aws-cdk/releases/tag/v1.57.0) (including v2 users) that are not specifying the `mastersRole` property. The role in question can be located in the IAM console. It will have the following name pattern: > ``` > *-MastersRole-* > ``` > #### CreationRole > Users with CDK version higher or equal to [1.62.0](https://github.com/aws/aws-cdk/releases/tag/v1.62.0) (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern: > ``` > *-ClusterCreationRole-* > ``` > ### Patches > The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to aws/aws-cdk#25674 for a detailed discussion of options. > > ### Workarounds > #### CreationRole > There is no workaround available for CreationRole. > > #### MastersRole > To avoid creating the default MastersRole, use the `mastersRole` property to explicitly provide a role. For example: > > ```ts > new eks.Cluster(this, 'Cluster', { > ... > mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') > }); > ``` ### References [aws/aws-cdk#25674](aws/aws-cdk#25674) If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via their [vulnerability reporting page](https://aws.amazon.com/security/vulnerability-reporting) or directly via email to aws-security@amazon.com. Closes #225
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Status
Resolved
What is the issue?
eks.Clusterandeks.FargateClusterconstructs create two roles that have an overly permissive trust policy.The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g
KubernetesManifest,HelmChart, ...) onto it.The second, referred to as the default MastersRole, is provisioned only if the
mastersRoleproperty isn't provided and has permissions to executekubectlcommands on the cluster.Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate
sts:AssumeRolepermissions to assume it. For example, this can happen if another role in your account hassts:AssumeRolepermissions onResource: "*"Error message
No error message will be presented to the customer.
What is the impact?
An identity with access to a role that has the appropriate
sts:AssumeRolepermission can gain greater than intended access to the cluster.Workaround
Until a fix is available, you can follow the below workarounds.
MastersRole
To avoid creating the default MastersRole, use the
mastersRoleproperty to explicitly provide a role. For example:CreationRole
There is no workaround available for CreationRole.
Who is affected?
MastersRole
Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the
mastersRoleproperty. The role in question can be located in the IAM console. It will have the following name pattern:*-MastersRole-*CreationRole
Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:
*-ClusterCreationRole-*How do I resolve this?
The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.
The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes.
MastersRole
If you relied on the default MastersRole, it will no longer be available and will require you to
explicitly provide it via the
mastersRoleproperty. To retain the previous behavior, you could do:However, this would still result in an overly permissive trust policy. We recommend specifying a stricter policy. See trust policies on how to use IAM trust policies.
CreationRole
The change in the CreationRole trust policy should be mostly transparent to you. One scenario in which it could cause disruption is when it is being used on imported clusters, like so, for example:
Previously, the lambda handlers created for the
KubectlProviderof the imported cluster were granted the appropriatests:AssumeRolepermissions, and since the CreationRole was using the account root principal, the handlers were able to assume it and executekubectlcommands. After the upgrade, the CreationRole no longer uses the account root principal, and will therefore not allow the new lambda handlers to assume it. The workaround differs based on whether you are creating a new stack, or updating an existing one.For Existing Stacks
For imported cluster in existing stacks to continue to work, you will need to add the role of the kubectl provider function to the trust policy of the cluster's admin role:
To locate the relevant ARN, find the Lambda function in the import stack that has the "onEvent handler for EKS kubectl resource provider" description and use its role ARN. Redeploy the cluster stack and everything should work, no changes to the import stack needed.
Alternatively, you can do the reverse and specify the
kubectlLambdaRoleproperty when importing the cluster to point to the role of the original kubectl provider:This will make it so the role of the new provider will be the same as the original provider, and as such, is already trusted by the creation role of the cluster.
For New Stacks
If you are importing the cluster in a new stack, you should reuse the entire
KubectlProviderof the cluster:This way, no additional lambda handlers are created, and therefore no additional permissions are required.
Note that this approach will not work for your existing resources because it causes a modification to the service token
of the custom resources, which isn't allowed.
Related issues
The text was updated successfully, but these errors were encountered: