chore(deps): update dependency aws-cdk-lib to v2.80.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
aws-cdk-lib (source)	2.76.0 -> 2.80.0

GitHub Vulnerability Alerts

CVE-2023-35165

If you are using the eks.Cluster or eks.FargateCluster construct we need you to take action. Other users are not affected and can stop reading.

Impact

The AWS Cloud Development Kit (CDK) allows for the definition of Amazon Elastic Container Service for Kubernetes (EKS) clusters. eks.Cluster and eks.FargateCluster constructs create two roles that have an overly permissive trust policy.

The first, referred to as the CreationRole, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g KubernetesManifest, HelmChart, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) will be affected.

The second, referred to as the default MastersRole, is provisioned only if the mastersRole property isn't provided and has permissions to execute kubectl commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) will be affected.

Both these roles use the account root principal in their trust policy, which allows any identity in the account with the appropriate sts:AssumeRole permissions to assume it. For example, this can happen if another role in your account has sts:AssumeRole permissions on Resource: "*".

CreationRole

Users with CDK version higher or equal to 1.62.0 (including v2 users). The role in question can be located in the IAM console. It will have the following name pattern:

*-ClusterCreationRole-* 

MastersRole

Users with CDK version higher or equal to 1.57.0 (including v2 users) that are not specifying the mastersRole property. The role in question can be located in the IAM console. It will have the following name pattern:

*-MastersRole-*

Patches

The issue has been fixed in versions v1.202.0, v2.80.0. We recommend you upgrade to a fixed version as soon as possible. See Managing Dependencies in the CDK Developer Guide for instructions on how to do this.

The new versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. This introduces some breaking changes that might require you to perform code changes. Refer to https://github.com/aws/aws-cdk/issues/25674 for a detailed discussion of options.

Workarounds

CreationRole

There is no workaround available for CreationRole.

MastersRole

To avoid creating the default MastersRole, use the mastersRole property to explicitly provide a role. For example:

new eks.Cluster(this, 'Cluster', { 
  ... 
  mastersRole: iam.Role.fromRoleArn(this, 'Admin', 'arn:aws:iam::xxx:role/Admin') 
}); 

References

https://github.com/aws/aws-cdk/issues/25674

If you have any questions or comments about this advisory we ask that you contact AWS/Amazon Security via our vulnerability reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.

---

Release Notes

aws/aws-cdk (aws-cdk-lib)

v2.80.0

Compare Source

⚠ BREAKING CHANGES

• eks: A masters role is no longer provisioned by default. Use the mastersRole property to explicitly pass a role that needs cluster access. In addition, the creation role no longer allows any identity (with the appropriate sts:AssumeRole permissions) to assume it.

Features

• apigateway: add grantExecute to API Methods (#​25630) (ecb59fd)
• appmesh: access log format support for app mesh (#​25229) (c4b00be)
• appsync: Add Private API support when creating a GraphqlApi (#​25569) (d7e263d)
• cfnspec: cloudformation spec v122.0.0 (#​25555) (5ccc569)
• cli: assets can now depend on stacks (#​25536) (25d5d60)
• cli: logging can be corked (#​25644) (0643020), closes #​25536
• codepipeline-actions: add KMSEncryptionKeyARN for S3DeployAction (#​24536) (b60876f), closes #​24535
• eks: alb controller include versions 2.4.2 - 2.5.1 (#​25330) (83c4c36), closes #​25307
• msk: Kafka version 3.4.0 (#​25557) (6317518), closes #​25522
• scheduler: schedule expression construct (#​25422) (97a698e)

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#​25540) (8854739), closes /github.com/aws/aws-cdk/issues/19380#issuecomment-1512009270 #​25272 #​25273 #​25507
• eks: overly permissive trust policies (#​25473) (51f0193). We would like to thank @​twelvemo and @​stefreak for reporting this issue.

---

Alpha modules (2.80.0-alpha.0)

v2.79.1

Compare Source

Bug Fixes

• bootstrap: bootstrap doesn't work in non-aws partitions anymore (revert security hub finding fix) (#​25272) (4c4014e)

---

Alpha modules (2.79.1-alpha.0)

v2.79.0

Compare Source

Features

• cfnspec: cloudformation spec v121.0 (#​25499) (c2ef657)
• ecr: grantRead on repositories (#​25445) (ce7bdea)
• logs: support DataProtectionPolicy in LogGroup construct (#​23402) (ed3962a), closes #​23399

Bug Fixes

• batch: JobDefinition's ContainerDefinition's Image is synthesized with [Object object] (#​25466) (b3d0d57), closes #​25250
• cfn2ts: doesn't handle property types with the same type as a primitive type (#​25460) (b76c182), closes aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_IoT.json#L1437-L1442 aws-cdk/cfnspec/spec-source/specification/000_cfn/000_official/000_AWS_IoT.json#L1727-L1742 #​22732
• core: crossRegionReferences don't work across multiple regions (#​25384) (65265e1), closes #​25190 #​25377
• dynamodb: fix hardcoded partition in replica-provider IAM policy (#​25428) (b5b4f66), closes #​25407
• elasticloadbalancingv2: ALB auth return internal server error (#​24510) (75212eb), closes #​21939 #​19035 #​18944
• servicecatalogappregistry: Revert deprecated method removing PR to keep deprecated method in alpha version (#​25454) (b20b1f2)

---

Alpha modules (2.79.0-alpha.0)

Bug Fixes

• servicecatalogappregistry: Revert deprecated method to keep deprecated method in alpha version (b20b123)
• batch: JobDefinition's ContainerDefinition's Image is synthesized with [Object object] (#​25250) (b3d0d57)

v2.78.0

Compare Source

Features

• appsync: L2 construct for EventBridge DataSource. (#​25369) (a0ad49d), closes #​24809
• cfnspec: cloudformation spec v120.0.0 (#​25354) (9096602)
• codebuild: add support for aws/codebuild/amazonlinux2-aarch64-standard:3.0 (#​25351) (0d187c1), closes #​25334
• ec2: Prefixlist Constructs (#​25252) (b2dfac0), closes #​24714
• ec2: restrict access to default security group (under feature flag) (#​25297) (d8272ef), closes /docs.aws.amazon.com/securityhub/latest/userguide/ec2-controls.html#ec2-2 #​19394
• events: Validate events rule name (#​25366) (5bdb012), closes #​25352
• rds: add missing PerformanceInsightRetention options (#​25347) (1dbae20)

Bug Fixes

• api-gateway: add validation to variables property on Stage resource (#​25267) (04427e3), closes #​3635
• apigateway: cannot use requestValidatorOptions multiple times (under feature flag) (#​25324) (2a49fd1), closes #​7613
• batch: ManagedEc2EcsComputeEnvironment instance role missing managed policy (#​25279) (c81d115), closes #​25256
• batch: JobQueue uses wrong id for underlying CfnJobQueue (#​25269) (4cbb790), closes #​25248
• core: output folder checksum is computed unnecessarily (#​25392) (f2294ba)
• ecs: Allow scheduling DAEMON services even if no EC2 capacity attached to cluster (#​25306) (#​25328) (96bb8ce)
• elasticloadbalancingv2: the bucket policy for ELB access logging is too permissive (#​25345) (748e685), closes /docs.aws.amazon.com/securityhub/latest/userguide/s3-controls.html#s3-6
• iam: Role.fromRoleName fails on AWS created roles (#​25389) (4c9ce9b)
• integ-tests: allow multiple AwsApiCalls with the same action and different parameters (#​25241) (75967e1), closes #​25014
• s3-deployment: doesn't work in ADC regions (#​25363) (432af34)
• dns-validated-cert cr doesn't use node16 (#​25348) (ad71026), closes #​25335

---

Alpha modules (2.78.0-alpha.0)

v2.77.0

Compare Source

Features

• custom-resource: upgrade builtin custom resource runtime version to Node 16 (#​24916) (6f7c4b5)
• custom-resource: expose removalPolicy (#​25235) (79881c5), closes #​25220
• ecs-patterns: Tagging support for scheduled tasks (#​25222) (6da4eba), closes #​23838 #​25106
• eks: support for Kubernetes version 1.26 (#​25088) (792e3f2), closes #​25087
• lambda: Java 17 runtime (#​25240) (5573025)
• lambda-event-sources: Add eventsourceMappingArn to IEventSourceMapping (#​24991) (ecd7374), closes #​24801
• pipelines: added logging as option for codeBuildDefaults prop on CodePipeline construct (#​25266) (d479b4d), closes #​22045 #​22045
• s3-deployment: implement new signContent option (#​24713) (5a836cb), closes #​24711
• stepfunctions-tasks: add elasticmapreduce:AddTags permission for EmrCreateCluster state with tags (#​24856) (81beab3), closes #​24842

Bug Fixes

• cli: diff doesn't display paths for removed resources (#​25294) (9bf63ed)
• pipelines: CodeBuild Action role can be assumed by too many identities (#​25316) (90cb79f)
• log buckets don't have acls enabled (#​25303) (0e9440b), closes #​25288
• apigatewayv2: does not work in non-aws partition (#​25284) (706dc89)
• appmesh: add missing port property (#​25112) (925c9ba), closes #​22452
• backup: BackupVault.fromBackupVaultArn parses wrong arn format (#​25259) (c2082a7), closes #​25212
• batch: jobDefinitionName returns ARN instead of name (#​25207) (3ea6062), closes #​25197
• bootstrap: add previous-parameters option to bootstrap command (#​25219) (02e8758), closes #​23780
• cloudfront: can't create the default log bucket (#​25298) (0eb25f2), closes /docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html#access-logs-choosing-s3 #​25288 #​25291
• core: crossRegionReferences doesn't work when exporting to multiple regions (#​25190) (89b26b8), closes #​24464
• custom-resources: State functionActiveV2 not found (#​25228) (13a230e), closes #​24358
• eks: Allow helm pull from non-ECR OCI repositories (#​25237) (27da99e), closes #​24710
• eks: policy does not exist or is not attachable in China and GovCloud regions (#​25215) (ea65415), closes #​24358 #​24696
• elasticloadbalancingv2: ALB listeners with multiple forwardi… (#​25005) (512f64e), closes #​24805
• elasticloadbalancingv2: can not set sessionTimeout (#​24457) (cefbb33), closes #​12843 #​21768
• rds: Correct ARN in IAM policy for IAM database access (#​25141) (227ea09), closes #​12416 #​11851

---

Alpha modules (2.77.0-alpha.0)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Oslo, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks