The AWS Cloud Development Kit (AWS CDK) allows developers to define their cloud infrastructure in code and provision it through AWS CloudFormation. AWS CDK is an open-source software development framework and is widely used for managing cloud resources.
A recent vulnerability was discovered in the aws-cdk-lib and @aws-cdk/aws-eks packages, where two roles - CreationRole and default MastersRole were found to have overly permissive trust policies. This vulnerability has been assigned with the identifier CVE-2023-35165.
aws-cdk-lib 2.. to 2.80.
- @aws-cdk/aws-eks 1.57. to 1.202.
Details
The eks.Cluster and eks.FargateCluster constructs in the affected versions create these two roles, each with a specific purpose:
1. CreationRole: This role is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g., KubernetesManifest, HelmChart, ...). Users with CDK version 1.62. or higher (including v2 users) may be affected.
2. default MastersRole: This role is provisioned only if the mastersRole property isn't provided. It has permissions to execute kubectl commands on the cluster. Users with CDK version 1.57. or higher (including v2 users) may be affected.
Due to the overly permissive trust policies applied to these roles, an attacker with access to either role could potentially perform unauthorized actions. This is a significant security risk for users with the affected versions of the AWS CDK packages.
The issue has been fixed in the following package versions
- @aws-cdk/aws-eks v1.202.
aws-cdk-lib v2.80.
These fixed versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it.
It is strongly recommended that users upgrade their AWS CDK packages to these fixed versions to mitigate the risk of unauthorized actions in their cloud environments.
Workaround
There is no workaround available for the CreationRole. To avoid creating the default MastersRole, users should use the mastersRole property in the eks.Cluster or eks.FargateCluster constructs to explicitly provide a role with appropriate trust policies.
Example
import * as eks from '@aws-cdk/aws-eks';
import * as iam from '@aws-cdk/aws-iam';
import * as cdk from '@aws-cdk/core';
class MyEksCluster extends cdk.Stack {
constructor(scope: cdk.App, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create a custom role for masters
const mastersRole = new iam.Role(this, 'CustomMastersRole', {
assumedBy: new iam.AccountRootPrincipal(),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName('AmazonEKSClusterPolicy')
]
});
// Use the custom role in the EKS cluster construct
const eksCluster = new eks.Cluster(this, 'EksCluster', {
mastersRole: mastersRole
});
}
}
const app = new cdk.App();
const env = {
region: 'us-west-2',
};
new MyEksCluster(app, 'MyEksClusterStack', { env });
app.synth();
Links to Original References
- AWS Announcement on the Vulnerability
- CVE-2023-35165 Details
- AWS CDK Release Notes
Timeline
Published on: 06/23/2023 21:15:00 UTC
Last modified on: 07/06/2023 15:37:00 UTC