Skip to content

Fix CRLY.01173: Constrain IAM Permissions Management#41

Open
curly-review[bot] wants to merge 1 commit intomasterfrom
curly/fix-crly.01173-cfn-deploypipeline-github-1248c7
Open

Fix CRLY.01173: Constrain IAM Permissions Management#41
curly-review[bot] wants to merge 1 commit intomasterfrom
curly/fix-crly.01173-cfn-deploypipeline-github-1248c7

Conversation

@curly-review
Copy link

@curly-review curly-review bot commented May 1, 2025

Issue Details

ID: CRLY.01173
Severity: MEDIUM
File: pipeline/cfn-deploypipeline-github.yaml

Remediation Summary

Description

The security finding indicates that the IAM policy attached to the PipelineExecutionRole allows permissions management without any constraints. This can lead to potential security risks as it permits unrestricted access to IAM permissions.

Steps

  1. Identify the Policy: Locate the policy in the IAM role that allows unrestricted permissions management.
  2. Modify the Policy: Update the policy to include constraints to limit permissions management capabilities.

Here is an example of how you can modify the policy to restrict permissions management:

PipelineExecutionRole:
    Type: AWS::IAM::Role
    Properties:
        AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action:
                  - 'sts:AssumeRole'
                Effect: Allow
                Principal:
                  Service:
                    - codepipeline.amazonaws.com
        Path: /
        ManagedPolicyArns:
            - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
            - !Ref CFNPipelinePolicy
        Policies:
            - PolicyName: CodePipelineAccess
              PolicyDocument:
                Version: '2012-10-17'
                Statement:
                    - Action:
                          - 'lambda:InvokeFunction'
                          - 'lambda:ListFunctions'
                          - 'lambda:InvokeAsync'
                      Effect: Allow
                      Resource: '*'
                    - Action:
                          - 'iam:PassRole'
                      Effect: Allow
                      Resource: 
                        - !GetAtt SomeSpecificRole.Arn

In this example, the iam:PassRole action is constrained to a specific role (SomeSpecificRole). You should replace SomeSpecificRole with the actual ARN of the role you want to allow passing to.

Note: Ensure you replace SomeSpecificRole with the actual ARN of the role you want to allow passing to. This is just an example, and you should tailor the constraints to your specific use case and security requirements.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants