Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CDK Pipelines security posture change approvals #282

Closed
1 of 7 tasks
eladb opened this issue Jan 25, 2021 · 3 comments
Closed
1 of 7 tasks

CDK Pipelines security posture change approvals #282

eladb opened this issue Jan 25, 2021 · 3 comments
Labels
management/tracking status/done Implementation complete

Comments

@eladb
Copy link
Contributor

eladb commented Jan 25, 2021
edited
Loading

PR Champion
#

Description

The default behavior of CDK Pipelines should ensure that a change in the application's security posture is explicitly approved.

CDK applications normally include security-related infrastructure definitions such as networking rules an IAM policies. Changes to these definitions may expose the application to security risks. Such changes can happen as a result of a change in the application code or they can happen as a result of changes in a 3rd party construct library the application depends on (or a transitive dependency thereof).

The CDK CLI heuristically detects such changes when cdk deploy is executed based on the "diff" between the currently deployed application and the application that's about to be deployed. A report is printed and an explicit confirmation is required:

The current implementation of CDK Pipelines bypasses this confirmation dialog using a CLI switch (--require-approval=never). This means that a commit to the source repository that changes the security posture of the application will be deployed automatically to the target environments.

CDK Pipelines allows users to add approval steps to their flow. This means that users are technically able to block their deployments and review any changes, but the default behavior must be safe and secure.

Progress

  • Tracking Issue Created
  • RFC PR Created
  • Core Team Member Assigned
  • Initial Approval / Final Comment Period
  • Ready For Implementation
    • implementation issue 1
  • Resolved
@eladb
Copy link
Contributor Author

eladb commented Jan 28, 2021

Ideas for solutions

  • At the minimum, we can change the default so that pipelines are always blocked from deploying to production (we need to identify "prod" stages in order to do that). This will require that users will always review the diffs before deploying to production.
  • Require that a user with read-only access to all production environments will commit a file to the repo that approves changes. The benefit of such an approach is that it is deployment-system-agnostic.

@rix0rrr rix0rrr mentioned this issue Jan 28, 2021
Closed
@skinny85 skinny85 changed the title CDK pipeline security posture change approvals CDK Pipelines security posture change approvals Jan 28, 2021
@Wenzil Wenzil mentioned this issue Apr 15, 2021
Closed
2 tasks
@eladb
Copy link
Contributor Author

eladb commented Jul 28, 2021

@otaviomacedo @rix0rrr What's the status of this one?

@eladb eladb added status/implementing RFC is being implemented and removed status/proposed Newly proposed RFC labels Jul 28, 2021
@otaviomacedo
Copy link
Contributor

It was addressed by this commit.

@eladb eladb added status/done Implementation complete and removed status/implementing RFC is being implemented labels Jul 29, 2021
@eladb eladb closed this as completed Aug 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
management/tracking status/done Implementation complete
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@otaviomacedo @eladb