aws-ec2: restrictDefaultSecurityGroup custom resource lambda uses basic lambda execution role, no ability to add perm boundary

[justinwiley]

Describe the bug

If the restrictDefaultSecurityGroup option is enabled for ec2.Vpc, a new lambda and lambda execution role is created with the AWSLambdaBasicExecutionRole attached, which grants inappropriately broad wildcard log access.

There doesn't seem to be a way to override this, or to add a permissions boundary to the lambda execution role.

There are two issues with this:

• by default, cdknag complains about wildcard access
• if you are providing a custom permissions boundary for the cdk bootstrap role, you likely want to have the role require lambdas be deployed with a permissions boundary attached

Regression Issue

• Select this option if this issue appears to be a regression.

Last Known Working CDK Version

No response

Expected Behavior

ec2.Vpc should:

• expose the lambda execution role or allow it to be overwritten
• or, stop using the basic execution role and provide a perm boundary option

Current Behavior

See above

Reproduction Steps

    const vpc = new ec2.Vpc(this, 'VPC', {
      ipAddresses: ec2.IpAddresses.cidr(`10.0.0.0/16`),
      restrictDefaultSecurityGroup: true,
    })

Possible Solution

see expected behavior

Additional Information/Context

No response

CDK CLI Version

2.160

Framework Version

No response

Node.js Version

20

OS

any

Language

TypeScript

Language Version

No response

Other information

No response

[khushail]

Hi @justinwiley , thanks for reaching out.

i tried to repro this with given scenario and here is my observation -

The lambdaBasicExecutionRole is having access to Logs after setting 'restrictDefaultSecurityGroup` to true -

However when I try to restrict the role permission by custom boundary,

    //creating custom boundary
    const boundary = new iam.ManagedPolicy(this, 'Boundary2', {
      statements: [
        new iam.PolicyStatement({
          effect: iam.Effect.DENY,
          actions: ['logs:PutLogEvents'],
          resources: ['*'],
        }),
      ],
    });

    iam.PermissionsBoundary.of(this).apply(boundary);

I see Boundary role getting attached to customRole as shown in this template-

  "CustomVpcRestrictDefaultSGCustomResourceProviderRole26592FE0": {
  "Type": "AWS::IAM::Role",
  "Properties": {
   "AssumeRolePolicyDocument": {
    "Version": "2012-10-17",
    "Statement": [
     {
      "Action": "sts:AssumeRole",
      "Effect": "Allow",
      "Principal": {
       "Service": "lambda.amazonaws.com"
      }
     }
    ]
   },
   "ManagedPolicyArns": [
    {
     "Fn::Sub": "arn:${AWS::Partition}:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
    }
   ],
   "Policies": [
    {
     "PolicyName": "Inline",
     "PolicyDocument": {
      "Version": "2012-10-17",
      "Statement": [
       {
        "Effect": "Allow",
        "Action": [
         "ec2:AuthorizeSecurityGroupIngress",
         "ec2:AuthorizeSecurityGroupEgress",
         "ec2:RevokeSecurityGroupIngress",
         "ec2:RevokeSecurityGroupEgress"
        ],
        "Resource": [
         {
          "Fn::Join": [
           "",
           [
            "arn:aws:ec2:us-west-1:123456789012:security-group/",
            {
             "Fn::GetAtt": [
              "VPCB9E5F0B4",
              "DefaultSecurityGroup"
             ]
            }
           ]
          ]
         }
        ]
       }
      ]
     }
    }
   ],
   "PermissionsBoundary": {
    "Ref": "Boundary261F0699E"
   }

is this what you are expecting to do ??
I agree that by changing the boolean value to true, wide permissions are granted but AFAIU, this boundary role is limiting the access permissions. However I am working on the scenario of bootstrap permission boundary though, will share findings soon.
Please feel free to clarify if something is misinterpreted.

[github-actions]

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.