chore(scheduler-alpha-targets): raise awareness for default policy risk (#33003)

samson-keung · web-flow · commit fa2327d41da7 · 2025-01-20T19:13:29.000Z
### Issue # (if applicable) N/A. ### Reason for this change Raise awareness on the `*` used for resources in the default policy in the `Universal` target class. ### Description of changes README updates and added a new warning. ### Describe any new or updated permissions being added None ### Description of how you validated changes Unit tests. ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md b/packages/@aws-cdk/aws-scheduler-targets-alpha/README.md
@@ -316,7 +316,7 @@ new Schedule(this, 'Schedule', {
 
 ## Invoke a wider set of AWS API
 
-Use the `Universal` target to invoke AWS API.
+Use the `Universal` target to invoke AWS API. See https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html
 
 The code snippet below creates an event rule with AWS API as the target which is
 called at midnight every day by EventBridge Scheduler.
@@ -339,9 +339,9 @@ new Schedule(this, 'Schedule', {
 
 The `service` must be in lowercase and the `action` must be in camelCase.
 
-By default, an IAM policy for the Scheduler is extracted from the API call.
-
-You can control the IAM policy for the Scheduler by specifying the `policyStatements` property.
+By default, an IAM policy for the Scheduler is extracted from the API call. The action in the policy is constructed using the `service` and `action` prop.
+Re-using the example above, the action will be `rds:stopDBCluster`. Note that not all IAM actions follow the same pattern. In such scenario, please use the
+`policyStatements` prop to override the policy:
 
 ```ts
 new Schedule(this, 'Schedule', {
@@ -362,3 +362,6 @@ new Schedule(this, 'Schedule', {
   }),
 });
 ```
+
+> Note: The default policy uses `*` in the resources field as CDK does not have a straight forward way to auto-discover the resources permission required.
+> It is recommended that you scope the field down to specific resources to have a better security posture.
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/universal.ts
@@ -1,5 +1,5 @@
 import { IScheduleTarget } from '@aws-cdk/aws-scheduler-alpha';
-import { Aws, Token } from 'aws-cdk-lib';
+import { Annotations, Aws, Token } from 'aws-cdk-lib';
 import { IRole, PolicyStatement } from 'aws-cdk-lib/aws-iam';
 import { awsSdkToIamAction } from 'aws-cdk-lib/custom-resources/lib/helpers-internal';
 import { ScheduleTargetBase, ScheduleTargetBaseProps } from './target';
@@ -95,6 +95,8 @@ export class Universal extends ScheduleTargetBase implements IScheduleTarget {
 
   protected addTargetActionToRole(role: IRole): void {
     if (!this.props.policyStatements?.length) {
+      Annotations.of(role).addWarningV2('@aws-cdk/aws-scheduler-alpha:defaultWildcardResourcePolicy',
+        'Default policy with * for resources is used. Use custom policy for better security posture.');
       role.addToPrincipalPolicy(new PolicyStatement({
         actions: [awsSdkToIamAction(this.props.service, this.props.action)],
         resources: ['*'],
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/universal.test.ts
@@ -1,7 +1,7 @@
 import * as scheduler from '@aws-cdk/aws-scheduler-alpha';
 import { Group } from '@aws-cdk/aws-scheduler-alpha';
 import { App, Duration, Stack } from 'aws-cdk-lib';
-import { Template } from 'aws-cdk-lib/assertions';
+import { Annotations, Template } from 'aws-cdk-lib/assertions';
 import * as iam from 'aws-cdk-lib/aws-iam';
 import * as sqs from 'aws-cdk-lib/aws-sqs';
 import { Universal } from '../lib/universal';
@@ -105,6 +105,11 @@ describe('Universal schedule target', () => {
         ],
       },
     });
+
+    Annotations.fromStack(stack).hasWarning(
+      '*',
+      'Default policy with * for resources is used. Use custom policy for better security posture. [ack: @aws-cdk/aws-scheduler-alpha:defaultWildcardResourcePolicy]',
+    );
   });
 
   test('creates IAM policy for provided IAM role', () => {
