Scope down execution and logging role assume role policy (#860)

aws-cloudformation · Jan 28, 2022 · fe0b680 · fe0b680
1 parent bc68113
commit fe0b680
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/src/rpdk/core/data/managed-upload-infrastructure.yaml b/src/rpdk/core/data/managed-upload-infrastructure.yaml
@@ -91,6 +91,10 @@ Resources:
  Service:
  - resources.cloudformation.amazonaws.com
  Action: sts:AssumeRole
+ Condition:
+ StringEquals:
+ aws:SourceAccount:
+ Ref: AWS::AccountId
  Path: "/"
  Policies:
  - PolicyName: LogAndMetricsDeliveryRolePolicy

diff --git a/src/rpdk/core/project.py b/src/rpdk/core/project.py
@@ -160,6 +160,10 @@ def type_name(self, value):
  def hypenated_name(self):
  return "-".join(self.type_info).lower()
 
+ @property
+ def hyphenated_name_case_sensitive(self):
+ return "-".join(self.type_info)
+
  @property
  def schema_filename(self):
  return f"{self.hypenated_name}.json"
@@ -428,7 +432,7 @@ def generate(self):
  permission = "Deny"
 
  contents = template.render(
- type_name=self.hypenated_name,
+ type_name=self.hyphenated_name_case_sensitive,
  actions=sorted(actions),
  permission=permission,
  role_session_timeout=role_session_timeout,

diff --git a/src/rpdk/core/templates/resource-role.yml b/src/rpdk/core/templates/resource-role.yml
@@ -15,6 +15,13 @@ Resources:
  Principal:
  Service: resources.cloudformation.amazonaws.com
  Action: sts:AssumeRole
+ Condition:
+ StringEquals:
+ aws:SourceAccount:
+ Ref: AWS::AccountId
+ StringLike:
+ aws:SourceArn:
+ Fn::Sub: arn:${AWS::Partition}:cloudformation:${AWS::Region}:${AWS::AccountId}:type/resource/{{ type_name }}/*
  Path: "/"
  Policies:
  - PolicyName: ResourceTypePolicy