ECR deployment role contains wildcard permissions

[kukushking]

ECRDeployment construct always adds a default policy (below) that contains wildcard permissions to the ECR deployment role, even if a custom role is passed to the construct. This unfortunately fails CDK-nag security checks, and requires suppression rules.

I would like to be able to implement least-privilege IAM policies i.e. limit IAM actions to the specific repo/s3 bucket arn.

If a custom role is passed, I expect as the default behavior to not have any additional policies added to the role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "ecr:GetAuthorizationToken",
                "ecr:BatchCheckLayerAvailability",
                "ecr:GetDownloadUrlForLayer",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:ListImages",
                "ecr:DescribeImages",
                "ecr:BatchGetImage",
                "ecr:ListTagsForResource",
                "ecr:DescribeImageScanFindings",
                "ecr:InitiateLayerUpload",
                "ecr:UploadLayerPart",
                "ecr:CompleteLayerUpload",
                "ecr:PutImage"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": "s3:GetObject",
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

[ndrpp]

Can't this be solved by putting a .withoutPolicyUpdates() after the role?
example:

   const ecrDeploy = new ecrdeploy.ECRDeployment(this, deploymentName, {
      src,
      dest,
      role: myRole.withoutPolicyUpdates()
    })

[athewsey]

Even apart from the permissions themselves, I'm having trouble suppressing the generated CDK-Nag errors - I think because of the use of a Singleton Lambda? For example the below within a Construct does not suppress the error:

    const deployment = new ecrDeploy.ECRDeployment(this, "Deployment", {...});
    NagSuppressions.addResourceSuppressions(
      deployment,
      [
        {
          id: "AwsSolutions-IAM4",
          reason: "Can't control managed policies within ECRDeployment resource",
        },
        {
          id: "AwsSolutions-IAM5",
          reason: "Can't control wildcard policies within ECRDeployment resource",
        },
      ],
      true,  // Even with applyToChildren=true
    );

...Because the generated resource that causes the violation is at:

/{path-to-containing-substack}/Custom::CDKECRDeployment{long-alphanumeric}/ServiceRole/DefaultPolicy/Resource

...NOT under the deployment construct itself or even the this parent construct that creates it.

Since ECRDeployment.handler is private, I can't find any more granular way than to suppress the errors on cdk.Stack.of(this) with applyToChildren=true: Ignoring ALL IAM4 and IAM5 violations on the entire (nested) stack.

I understand this could be worked around by passing a custom role, but has anybody found a good way to suppress the CDK-Nag warnings when allowing ECRDeployment to create its own singleton role?

[bersanf]

i have solved with this code

  NagSuppressions.addResourceSuppressions(
     scope.node
       .findChild(
         scope.node.children.filter((child) =>
           child.node.id.startsWith("Custom::CDKECRDeployment")
         )[0].node.id
       )
       .node.findChild("ServiceRole")
       .node.findChild("DefaultPolicy").node.defaultChild as cdk.CfnResource,
     [
       {
         id: "AwsSolutions-IAM4",
         reason:
           "Can't control managed policies within ECRDeployment resource",
       },
       {
         id: "AwsSolutions-IAM5",
         reason:
           "Can't control wildcard policies within ECRDeployment resource",
       },
     ],
     true
   );

and

    NagSuppressions.addResourceSuppressions(
      scope.node
        .findChild(
          scope.node.children.filter((child) =>
            child.node.id.startsWith("Custom::CDKECRDeployment")
          )[0].node.id
        )
        .node.findChild("ServiceRole").node.defaultChild as cdk.CfnResource,
      [
        {
          id: "AwsSolutions-IAM4",
          reason:
            "Can't control managed policies within ECRDeployment resource",
        },
        {
          id: "AwsSolutions-IAM5",
          reason:
            "Can't control wildcard policies within ECRDeployment resource",
        },
      ],
      true
    );