Least Privilege Permissions to run cdk bootstrap

[sriharshakns]

Describe the feature

Provide either a List of necessary permissions in the docs or an AWS Managed Role to perform cdk bootstrap using the command "cdk bootstrap".

It is very difficult to comply with the principle of minimum least privilege when bootstrapping with CDK as all the operations and permissions needed are not clearly listed. The --show-template flag only shows the changes that are going to happen, but not the list of actions needed to produce those changes.

Use Case

To provide the User with the minimum required permissions to only run the "cdk bootstrap" command successfully.

Proposed Solution

I think it would be useful to have a clear list of minimum permissions needed to run the bootstrap or to have an AWS managed role with these permissions.

Other Information

I found that the User with the following policy attached is able to bootstrap the environment successfully. User credentials were given using "aws configure".

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplate"
            ],
            "Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*",
            "Effect": "Allow",
            "Sid": "CloudFormationPermissions"
        },
        {
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:policy/*",
                "arn:aws:iam::*:role/cdk-*"
            ]
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::cdk-*"
            ]
        },
        {
            "Action": [
                "ssm:DeleteParameter",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:PutParameter"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ssm:*:*:parameter/cdk-bootstrap/*"
            ]
        },
        {
            "Action": [
                "ecr:CreateRepository",
                "ecr:DeleteRepository",
                "ecr:DescribeRepositories",
                "ecr:SetRepositoryPolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ecr:*:*:repository/cdk-*"
            ]
        }
    ]
}

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

CDK version used

2.39.1

Environment details (OS name and version, etc.)

Amazon Linux 2 (Cloud9 Environment)

[peterwoodworth]

This would be great for the getting started page and/or the bootstrapping page in our devguide @jerry-aws

I'm not sure how necessary all the permissions you've listed here are @sriharshakns, but thanks for the work you've put in for this so far! I don't think you'll need DeleteStack to bootstrap for instance

I'd like to add this information to the Developer Guide but I'll seek a more canonical answer from our core developers. I also need to make sure there's a process to ensure it doesn't go stale.

[mrgum]

Could we have a Aws managed Cdk bootstrap Core policy
and maybe a Trusted and TrustedForLookups role too? This would stop the common bad practice of using administrator

[adriantomas]

Recent versions of CDK now need cloudformation:DeleteChangeSet to bootstrap. Please can we prioritise this topic?

[rix0rrr]

Is everybody aware that this block:

        {
            "Action": [
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:policy/*",
                "arn:aws:iam::*:role/cdk-*"
            ]
        },

Effectively is a privilege escalation vector?

• It is not safe to give bootstrapping permissions to anyone other than an account administrator.
• Since it is only safe to give bootstrapping permissions to an account administrator, what is the value of locking it down?

[angelospanag]

At the time of writing this comment and with the most recent version of aws-cdk (2.85), I had to also add ecr:PutLifecyclePolicy and s3:PutLifecycleConfiguration to the policy described above from @sriharshakns.

So now the full policy becomes:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:CreateChangeSet",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeChangeSet",
                "cloudformation:DescribeStackEvents",
                "cloudformation:DescribeStacks",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:GetTemplate"
            ],
            "Resource": "arn:aws:cloudformation:*:*:stack/CDKToolkit/*",
            "Effect": "Allow",
            "Sid": "CloudFormationPermissions"
        },
        {
            "Action": [
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:GetRole",
                "iam:AttachRolePolicy",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::*:policy/*",
                "arn:aws:iam::*:role/cdk-*"
            ]
        },
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:PutBucketPolicy",
                "s3:DeleteBucketPolicy",
                "s3:PutBucketPublicAccessBlock",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration",
                "s3:PutLifecycleConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::cdk-*"
            ]
        },
        {
            "Action": [
                "ssm:DeleteParameter",
                "ssm:GetParameter",
                "ssm:GetParameters",
                "ssm:PutParameter"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ssm:*:*:parameter/cdk-bootstrap/*"
            ]
        },
        {
            "Action": [
                "ecr:CreateRepository",
                "ecr:DeleteRepository",
                "ecr:DescribeRepositories",
                "ecr:SetRepositoryPolicy",
                "ecr:PutLifecyclePolicy"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:ecr:*:*:repository/cdk-*"
            ]
        }
    ]
}