Customizing CloudFormation Execution Role with Policies During CDK Bootstrapping
Introduction
When you deploy applications using the AWS CloudFormation and AWS CDK, it’s crucial to ensure that the resources created are secure and follow best practices. One important practice is the principle of least privilege for IAM roles. By default, AWS CDK creates an execution role for CloudFormation during the bootstrapping process. However, if you need to customize this role with specific permissions, you can do so during the bootstrapping process itself.
What Happens During CDK Bootstrapping?
CDK bootstrapping is a process where the necessary resources for CDK deployments are created in your AWS account. These include:
- CloudFormation Execution Role: This role is assumed by CloudFormation to deploy and manage resources during the stack creation process.
- S3 Bootstrap Bucket: An S3 bucket used to store assets such as Lambda functions, Docker images, and other resources during deployment.
- Cross-Account Roles: These are created if you are deploying to multiple AWS accounts.
By default, the execution role created during bootstrapping has broad permissions. However, in many cases, you may want to limit these permissions and provide only the minimum necessary access using a customized IAM policy.
Passing Custom Policies to the CloudFormation Execution Role During Bootstrapping
To pass a custom policy to the CloudFormation execution role during the bootstrapping process, you need to create a custom CDK bootstrap stack. AWS CDK allows you to specify a custom CloudFormation execution role and attach a policy to that role during bootstrapping.
Step-by-Step Guide
Follow these steps to pass custom policies to the CloudFormation execution role:
- Create a CDK Bootstrap Stack: The CDK allows you to customize the execution role using the `cdk bootstrap` command with custom parameters.
- Use a Custom Policy in the Bootstrap Stack: In your CDK app, you can define a policy that will be applied to the execution role during bootstrapping.
Example: Custom CloudFormation Execution Role with Policies
Here is an example that demonstrates how to define a custom policy for the CloudFormation execution role during the bootstrapping process:
import * as cdk from 'aws-cdk-lib';
import * as iam from 'aws-cdk-lib/aws-iam';
class CustomBootstrapStack extends cdk.Stack {
constructor(scope: cdk.Construct, id: string, props?: cdk.StackProps) {
super(scope, id, props);
// Create the custom CloudFormation execution role
const executionRole = new iam.Role(this, 'CustomExecutionRole', {
assumedBy: new iam.ServicePrincipal('cloudformation.amazonaws.com'),
inlinePolicies: {
'CustomS3Access': new iam.PolicyDocument({
statements: [
new iam.PolicyStatement({
actions: ['s3:PutObject', 's3:ListBucket'],
resources: [
'arn:aws:s3:::your-bootstrap-bucket/*',
'arn:aws:s3:::your-bootstrap-bucket',
],
}),
],
}),
},
});
// Output the role ARN
new cdk.CfnOutput(this, 'ExecutionRoleARN', {
value: executionRole.roleArn,
});
}
}
const app = new cdk.App();
new CustomBootstrapStack(app, 'CustomBootstrapStack');
In this example, we create a custom CloudFormation execution role and attach a policy that grants access to an S3 bucket where deployment assets are stored. The permissions are scoped to the specific resources required for the deployment.
Bootstrapping with a Custom Execution Role
Once you’ve created your CDK application with the custom execution role, you can bootstrap the environment using the following command:
cdk bootstrap --role-arn arn:aws:iam::your-account-id:role/CustomExecutionRole
This command bootstraps your CDK environment using the CustomExecutionRole that you created. The role will now have the permissions specified in the policy during the bootstrapping process.
Roles Created During CDK Bootstrapping
During the bootstrapping process, several roles and resources are created by default:
- AWSCloudFormationExecutionRole: The IAM role that CloudFormation assumes to deploy stacks.
- AWSLambdaBasicExecutionRole: This role is used by AWS Lambda functions to log to CloudWatch logs.
- AWSCloudFormationStackSetExecutionRole: This role is used when deploying stack sets across multiple accounts or regions.
- Cross-Account Roles: These roles facilitate deployment in cross-account environments.
If you’ve passed a custom execution role with specific policies, those permissions will now govern how CloudFormation deploys and interacts with the resources in your environment.
Conclusion
By customizing the CloudFormation execution role during the CDK bootstrapping process, you can ensure that the resources created follow the least privilege principle, which is a key best practice for securing your infrastructure. The cdk bootstrap command allows you to provide custom IAM policies, ensuring that only the necessary permissions are granted to CloudFormation.
This approach not only enhances security but also gives you greater control over how your CDK applications interact with AWS services, reducing the risk of over-permissioned roles.