data-dot-all
Implement least privilege permissions for the IAM role SecretsManagerRDSPostgreSQLRotationSingleUserRole
Describe the bug
The IAM role SecretsManagerRDSPostgreSQLRotationSingleUserRole has overly permissive permissions that is flagged by checkov scan (scan result below)
CheckID : CKV_AWS_111 CheckName : Ensure IAM policies does not allow write access without constraints File : /dataall-staging-backend-stage-backend-stack-AuroraDatabasestagingRotationSingleUser36E-1P9OZ9G9U4NU7.yaml:133-253 Resource : AWS::IAM::Role.SecretsManagerRDSPostgreSQLRotationSingleUserRole Guideline : CKV_AWS_111
This needs to be restricted to the required resources only.
How to Reproduce
Post deployment, run a checkov scan on the template for Aurora stacks. The scan report would include the entry for the role with a FAILED error message as described in the description above.
Expected behavior
The IAM role permissions should be restricted to only the required resources.
Your project
No response
Screenshots
No response
OS
Mac
Python version
3.10
AWS data.all version
2.5
Additional context
No response
@mourya-33 can you confirm what we will do here? I believe you told me this can't be fixed easily in data.all and the fix should be outside of data.all ?
@zsaltys @dlpzx This role is being auto created now with no controls to change the IAM policy it attaches for the rotation lambda. I raised an Amazon internal Feature Request to the CDK team to allow passing custom IAM policy to the add_rotation method.
@noah-paige @zsaltys , we will have to add this to checkov baseline in the meantime.
@dlpzx @noah-paige for reference here is the PFR ID for this enhancement request to CDK - 2990.
@mourya-33, if there is an update on the internal Amazon feature request, can you please let us know the status for it
With the new RDS v2, this issue doesn't seem to be present. Validated this by generating the deployment stack with cdk synth