You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description: Describe the provenance of the resources in this bootstrap stack. Change this when you customize the template. To prevent accidents, the CDK CLI will not overwrite bootstrap stacks with a different variant.
54
+
DenyExternalId:
55
+
Type: String
56
+
Default: "true"
57
+
AllowedValues:
58
+
- "true"
59
+
- "false"
60
+
Description: Whether to deny AssumeRole calls with an ExternalId. This prevents calls that are intended to be deputized from accidentally assuming CDK Roles.
54
61
Conditions:
55
62
HasTrustedAccounts:
56
63
Fn::Not:
@@ -104,6 +111,10 @@ Conditions:
104
111
Fn::Equals:
105
112
- "true"
106
113
- Ref: PublicAccessBlockConfiguration
114
+
ShouldDenyExternalId:
115
+
Fn::Equals:
116
+
- "true"
117
+
- Ref: DenyExternalId
107
118
Resources:
108
119
FileAssetsBucketEncryptionKey:
109
120
Type: AWS::KMS::Key
@@ -288,19 +299,41 @@ Resources:
288
299
Properties:
289
300
AssumeRolePolicyDocument:
290
301
Statement:
291
-
- Action: sts:TagSession
302
+
- Action: sts:AssumeRole
292
303
Effect: Allow
293
304
Principal:
294
305
AWS:
295
306
Ref: AWS::AccountId
296
-
- Action: sts:AssumeRole
307
+
Condition:
308
+
Fn::If:
309
+
- ShouldDenyExternalId
310
+
- "Null":
311
+
sts:ExternalId: "true"
312
+
- Ref: AWS::NoValue
313
+
- Action: sts:TagSession
297
314
Effect: Allow
298
315
Principal:
299
316
AWS:
300
317
Ref: AWS::AccountId
301
318
- Fn::If:
302
319
- HasTrustedAccounts
303
-
- Action: sts:AssumeRole
320
+
- Action:
321
+
- sts:AssumeRole
322
+
Effect: Allow
323
+
Principal:
324
+
AWS:
325
+
Ref: TrustedAccounts
326
+
Condition:
327
+
Fn::If:
328
+
- ShouldDenyExternalId
329
+
- "Null":
330
+
sts:ExternalId: "true"
331
+
- Ref: AWS::NoValue
332
+
- Ref: AWS::NoValue
333
+
- Fn::If:
334
+
- HasTrustedAccounts
335
+
- Action:
336
+
- sts:TagSession
304
337
Effect: Allow
305
338
Principal:
306
339
AWS:
@@ -316,19 +349,41 @@ Resources:
316
349
Properties:
317
350
AssumeRolePolicyDocument:
318
351
Statement:
319
-
- Action: sts:TagSession
352
+
- Action: sts:AssumeRole
320
353
Effect: Allow
321
354
Principal:
322
355
AWS:
323
356
Ref: AWS::AccountId
324
-
- Action: sts:AssumeRole
357
+
Condition:
358
+
Fn::If:
359
+
- ShouldDenyExternalId
360
+
- "Null":
361
+
sts:ExternalId: "true"
362
+
- Ref: AWS::NoValue
363
+
- Action: sts:TagSession
325
364
Effect: Allow
326
365
Principal:
327
366
AWS:
328
367
Ref: AWS::AccountId
329
368
- Fn::If:
330
369
- HasTrustedAccounts
331
-
- Action: sts:AssumeRole
370
+
- Action:
371
+
- sts:AssumeRole
372
+
Effect: Allow
373
+
Principal:
374
+
AWS:
375
+
Ref: TrustedAccounts
376
+
Condition:
377
+
Fn::If:
378
+
- ShouldDenyExternalId
379
+
- "Null":
380
+
sts:ExternalId: "true"
381
+
- Ref: AWS::NoValue
382
+
- Ref: AWS::NoValue
383
+
- Fn::If:
384
+
- HasTrustedAccounts
385
+
- Action:
386
+
- sts:TagSession
332
387
Effect: Allow
333
388
Principal:
334
389
AWS:
@@ -344,27 +399,65 @@ Resources:
344
399
Properties:
345
400
AssumeRolePolicyDocument:
346
401
Statement:
347
-
- Action: sts:TagSession
402
+
- Action: sts:AssumeRole
348
403
Effect: Allow
349
404
Principal:
350
405
AWS:
351
406
Ref: AWS::AccountId
352
-
- Action: sts:AssumeRole
407
+
Condition:
408
+
Fn::If:
409
+
- ShouldDenyExternalId
410
+
- "Null":
411
+
sts:ExternalId: "true"
412
+
- Ref: AWS::NoValue
413
+
- Action: sts:TagSession
353
414
Effect: Allow
354
415
Principal:
355
416
AWS:
356
417
Ref: AWS::AccountId
357
418
- Fn::If:
358
419
- HasTrustedAccountsForLookup
359
-
- Action: sts:AssumeRole
420
+
- Action:
421
+
- sts:AssumeRole
422
+
Effect: Allow
423
+
Principal:
424
+
AWS:
425
+
Ref: TrustedAccountsForLookup
426
+
Condition:
427
+
Fn::If:
428
+
- ShouldDenyExternalId
429
+
- "Null":
430
+
sts:ExternalId: "true"
431
+
- Ref: AWS::NoValue
432
+
- Ref: AWS::NoValue
433
+
- Fn::If:
434
+
- HasTrustedAccountsForLookup
435
+
- Action:
436
+
- sts:TagSession
360
437
Effect: Allow
361
438
Principal:
362
439
AWS:
363
440
Ref: TrustedAccountsForLookup
364
441
- Ref: AWS::NoValue
365
442
- Fn::If:
366
443
- HasTrustedAccounts
367
-
- Action: sts:AssumeRole
444
+
- Action:
445
+
- sts:AssumeRole
446
+
Effect: Allow
447
+
Principal:
448
+
AWS:
449
+
Ref: TrustedAccounts
450
+
Condition:
451
+
Fn::If:
452
+
- ShouldDenyExternalId
453
+
- "Null":
454
+
sts:ExternalId: "true"
455
+
- Ref: AWS::NoValue
456
+
- Ref: AWS::NoValue
457
+
- Fn::If:
458
+
- HasTrustedAccounts
459
+
- Action:
460
+
- sts:TagSession
368
461
Effect: Allow
369
462
Principal:
370
463
AWS:
@@ -457,19 +550,41 @@ Resources:
457
550
Properties:
458
551
AssumeRolePolicyDocument:
459
552
Statement:
460
-
- Action: sts:TagSession
553
+
- Action: sts:AssumeRole
461
554
Effect: Allow
462
555
Principal:
463
556
AWS:
464
557
Ref: AWS::AccountId
465
-
- Action: sts:AssumeRole
558
+
Condition:
559
+
Fn::If:
560
+
- ShouldDenyExternalId
561
+
- "Null":
562
+
sts:ExternalId: "true"
563
+
- Ref: AWS::NoValue
564
+
- Action: sts:TagSession
466
565
Effect: Allow
467
566
Principal:
468
567
AWS:
469
568
Ref: AWS::AccountId
470
569
- Fn::If:
471
570
- HasTrustedAccounts
472
-
- Action: sts:AssumeRole
571
+
- Action:
572
+
- sts:AssumeRole
573
+
Effect: Allow
574
+
Principal:
575
+
AWS:
576
+
Ref: TrustedAccounts
577
+
Condition:
578
+
Fn::If:
579
+
- ShouldDenyExternalId
580
+
- "Null":
581
+
sts:ExternalId: "true"
582
+
- Ref: AWS::NoValue
583
+
- Ref: AWS::NoValue
584
+
- Fn::If:
585
+
- HasTrustedAccounts
586
+
- Action:
587
+
- sts:TagSession
473
588
Effect: Allow
474
589
Principal:
475
590
AWS:
@@ -639,7 +754,7 @@ Resources:
639
754
Type: String
640
755
Name:
641
756
Fn::Sub: /cdk-bootstrap/${Qualifier}/version
642
-
Value: "28"
757
+
Value: "29"
643
758
Outputs:
644
759
BucketName:
645
760
Description: The name of the S3 bucket owned by the CDK toolkit stack
0 commit comments