Skip to content

Fix CRLY.01176: Constrain IAM Write Access #47

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
curly-review wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Fix CRLY.01176: Constrain IAM Write Access #47

curly-review wants to merge 1 commit into from

Conversation

@curly-review
Copy link

@curly-review curly-review bot commented May 1, 2025

Issue Details

ID: CRLY.01176
Severity: HIGH
File: pipeline/cfn-deploypipeline-github.yaml

Remediation Summary

Description

The IAM policy associated with the PipelineExecutionRole allows unrestricted write access, which is a security risk. This policy should be updated to constrain write access to only necessary resources.

Steps

  1. Identify the IAM Policy: Locate the PolicyDocument within the Policies section of the PipelineExecutionRole.

  2. Update the Policy: Modify the PolicyDocument to restrict write actions to specific resources. Below is an example of how you can update the policy to restrict iam:PassRole and lambda:InvokeFunction actions to specific resources.

    PipelineExecutionRole:
      Type: AWS::IAM::Role
      Properties:
        AssumeRolePolicyDocument:
          Version: '2012-10-17'
          Statement:
            - Action:
                - 'sts:AssumeRole'
              Effect: Allow
              Principal:
                Service:
                  - codepipeline.amazonaws.com
        Path: /
        ManagedPolicyArns:
          - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
          - !Ref CFNPipelinePolicy
        Policies:
          - PolicyName: CodePipelineAccess
            PolicyDocument:
              Version: '2012-10-17'
              Statement:
                - Action:
                    - 'iam:PassRole'
                    - 'lambda:InvokeFunction'
                    - 'lambda:ListFunctions'
                    - 'lambda:InvokeAsync'
                  Effect: Allow
                  Resource:
                    - arn:aws:iam::123456789012:role/specific-role
                    - arn:aws:lambda:us-east-1:123456789012:function:specific-function
  1. Deploy the Updated Template: After updating the policy, redeploy the CloudFormation template to apply the changes.
aws cloudformation deploy --template-file pipeline/cfn-deploypipeline-github.yaml --stack-name your-stack-name

By following these steps, you will ensure that the IAM policy does not allow write access without constraints, thereby improving the security of your AWS environment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants