CVE-2023-35165— AWS CDK EKS overly permissive trust policies

AWS CDK EKS overly permissive trust policies

AWS Cloud Development Kit (AWS CDK) is an open-source software development framework to define cloud infrastructure in code and provision it through AWS CloudFormation. In the packages `aws-cdk-lib` 2.0.0 until 2.80.0 and `@aws-cdk/aws-eks` 1.57.0 until 1.202.0, `eks.Cluster` and `eks.FargateCluster` constructs create two roles, `CreationRole` and `default MastersRole`, that have an overly permissive trust policy. The first, referred to as the `CreationRole`, is used by lambda handlers to create the cluster and deploy Kubernetes resources (e.g `KubernetesManifest`, `HelmChart`, ...) onto it. Users with CDK version higher or equal to 1.62.0 (including v2 users) may be affected. The second, referred to as the `default MastersRole`, is provisioned only if the `mastersRole` property isn't provided and has permissions to execute `kubectl` commands on the cluster. Users with CDK version higher or equal to 1.57.0 (including v2 users) may be affected. The issue has been fixed in `@aws-cdk/aws-eks` v1.202.0 and `aws-cdk-lib` v2.80.0. These versions no longer use the account root principal. Instead, they restrict the trust policy to the specific roles of lambda handlers that need it. There is no workaround available for CreationRole. To avoid creating the `default MastersRole`, use the `mastersRole` property to explicitly provide a role.

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

授权机制不正确

AWS Cloud Development Kit 安全漏洞

AWS Cloud Development Kit是一个开源软件开发框架，用于在代码中定义云基础设施并通过 AWS CloudFormation 进行配置。 AWS Cloud Development Kit存在安全漏洞，该漏洞源于eks.Cluster` 和eks.FargateCluster创建的两个角色具有过于宽松的信任策略。受影响的产品和版本：AWS Cloud Development Kit aws-cdk/aws-eks 1.57.0及之后版本， 1.202.0之前版本；aws-cdk-lib

N/A

N/A