You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
**NOTE:** This PR bumps the version of the bootstrap stack to `16`, but there is no need to update your bootstrap stacks, unless it is to get rid of the Security Hub finding; this change has no effect on the functionality of any CDK app deployed to the environment.
[Security Hub finding KMS.2](https://docs.aws.amazon.com/securityhub/latest/userguide/kms-controls.html#kms-2) says:
> The control fails if the policy is open enough to allow kms:Decrypt or kms:ReEncryptFrom actions on any arbitrary KMS key.
>
> [...]
>
> The control only checks KMS keys in the Resource element and doesn't take into account any conditionals in the Condition element of a policy.
This control is a "defense in depth" control. It does not mitigate any attack by itself, and there is no actual security impact from the current configuration of our policies. However, customers are anxious about the Security Hub findings reported on resources we create for them.
Therefore, we turn the `Resources: *` into a list of wildcard ARNs, one for each trusted account. This should satisify Security Hub without breaking the functionality of the bootstrap resources (as this statement is only used for cross-account CodePipeline deployments using CDK Pipelines).
The CloudFormation expression we use to turn a list of account IDs into a list of ARNs is quite crazy. To turn `['1111', '2222', '3333']` into `['arn:aws:kms:*:1111:*', 'arn:aws:kms:*:2222:*', 'arn:aws:kms:*:3333:*']` we do the following:
* Skip the entire statement if the list is empty
* Use the following equivalence if the list has at least one element (E1 cannot be expressed in CloudFormation but E2 can):
```
(E1) xs.map(x => PREFIX + x + SUFFIX).join(SEP)
<==> { assuming xs.length >= 1 }
(E2) PREFIX + xs.join(SUFFIX + SEP + PREFIX) + SUFFIX
```
* Finally split the string on the separator to come up with an array of elements.
I would have used `${AWS::Region}` instead of allowing all regions, but `{ Fn::Join }` doesn't allow using intrinsics in its separator.
I tested the new template using a CDK Pipeline that deploys in-region, cross-region, cross-account and cross-account-cross-region.
----
*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
0 commit comments