Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK Example: How to grant least privilege permission to a Secrets from a sample lambda #784

Open
1 of 2 tasks
agairola opened this issue Dec 19, 2022 · 0 comments
Open
1 of 2 tasks

CDK Example: How to grant least privilege permission to a Secrets from a sample lambda #784

agairola opened this issue Dec 19, 2022 · 0 comments
Labels
feature-request A feature should be added or improved. language/typescript Related to Typescript examples p2

Comments

@agairola
Copy link

Describe the feature

Writing KMS key policies can be complex because they can contain multiple statements that specify different permissions for different users and services. This can make it challenging for developer to understand the overall permissions granted by the policy, especially if the policy is long or contains many statements. Overall, creating a key policy for KMS requires a thorough understanding of the policy syntax, the different permissions and actions that can be specified, and how to effectively combine these elements to create a policy that meets the needs of your organization.

To solve this, a common pattern that I have used to create a effective way to grant least privilege permission to a sample lambda execution role using grantRead CDK method and kms:ViaService condition.

Use Case

Developers are not always happy when they have to write least privilege IAM or KMS policies because it can be a time-consuming and tedious process. These policies are designed to limit access to resources and privileges within an organization's AWS account, which is important for security and compliance purposes. However, implementing these policies often requires a thorough understanding of the specific permissions and resources that are needed for an application or service to function properly, as well as a clear understanding of the organization's security and compliance requirements. This can be challenging for developers, particularly if they are not familiar with the organization's security and compliance policies or if they are working on a project with complex permissions requirements. Additionally, writing least privilege policies may require developers to make trade-offs between security and convenience, which can be frustrating and may require additional time and effort to get right.

Proposed Solution

I am proposing to build a CDK sample in Typescript that illustrates how to build an efficient way of implementing the least privilege KMS policy for an AWS services. I have the code for this solution written and tested and will fork the repository to PR my solution.

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

Language

Typescript
@agairola agairola added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Dec 19, 2022
@agairola agairola mentioned this issue Dec 19, 2022
Closed
@kaiz-io kaiz-io added language/typescript Related to Typescript examples p2 and removed needs-triage This issue or PR still needs to be triaged. labels Oct 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature-request A feature should be added or improved. language/typescript Related to Typescript examples p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(typescript): Adding CDK example to showcase least privilege for KMS and ASM
2 participants
@kaiz-io @agairola