fix(scheduler-targets-alpha): scope down permissions for sqs and kine…

…sis stream targets (#32122) ### Issue # (if applicable) Tracking #31785 ### Reason for this change We want to enforce principle of least privilege when granting target actions to the scheduler execution role. From the Scheduler docs, only `kinesis:PutRecord` and `sqs:SendMessage` are required. Previously we were using built-in grant methods for these targets that granted additional permissions. If wider permissions are needed the user can always provide their own IAM role for the scheduler to use. KMS permissions references from service docs: - Kinesis stream: https://docs.aws.amazon.com/streams/latest/dev/permissions-user-key-KMS.html#example-producer-permissions - SQS Queue: https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html#sqs-what-permissions-for-sse ### Description of changes - Explicitly grant only the necessary target permissions - If target uses customer-managed key for SSEKMS, grant key permissions to role as well ### Description of how you validated changes - updated unit tests - deployed stacks with SSEKMS targets and verified the scheduled actions succeed ### Checklist - [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
aws · Nov 15, 2024 · 6bb142e · 6bb142e
1 parent 1bbb456
commit 6bb142e
Show file tree

Hide file tree

Showing 27 changed files with 160 additions and 121 deletions.
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/kinesis-stream-put-record.ts
@@ -34,7 +34,8 @@ export class KinesisStreamPutRecord extends ScheduleTargetBase implements ISched
   }
 
   protected addTargetActionToRole(role: IRole): void {
-    this.stream.grantWrite(role);
+    this.stream.grant(role, 'kinesis:PutRecord', 'kinesis:PutRecords');
+    this.stream.encryptionKey?.grant(role, 'kms:GenerateDataKey*');
   }
 
   protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig {

diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/sqs-send-message.ts
@@ -49,7 +49,8 @@ export class SqsSendMessage extends ScheduleTargetBase implements IScheduleTarge
   }
 
   protected addTargetActionToRole(role: IRole): void {
-    this.queue.grantSendMessages(role);
+    this.queue.grant(role, 'sqs:SendMessage');
+    this.queue.encryptionMasterKey?.grant(role, 'kms:Decrypt', 'kms:GenerateDataKey*');
   }
 
   protected bindBaseTargetConfig(_schedule: ISchedule): ScheduleTargetConfig {

diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/lib/target.ts
@@ -16,10 +16,6 @@ export interface ScheduleTargetBaseProps {
    * permissions to interact with the templated target. If you wish you may specify your own IAM role, then the templated targets
    * will grant minimal required permissions.
    *
-   * Universal target automatically create an IAM role if you do not specify your own IAM role.
-   * However, in comparison with templated targets, for universal targets you must grant the required
-   * IAM permissions yourself.
-   *
    * @default - created by target
    */
   readonly role?: iam.IRole;

diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.inspector-start-assessment-run.ts
@@ -44,5 +44,3 @@ integrationTest.assertions.awsApiCall('Inspector', 'listAssessmentRuns', {
   interval: cdk.Duration.seconds(30),
   totalTimeout: cdk.Duration.minutes(10),
 });
-
-app.synth();
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-data-firehose-put-record.ts
@@ -69,5 +69,3 @@ if (objects instanceof AwsApiCall && objects.waiterProvider) {
     Resource: ['*'],
   });
 }
-
-app.synth();
diff --git a/...am-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.assets.json b/...am-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.assets.json
diff --git a/...-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json b/...-put-record.js.snapshot/aws-cdk-scheduler-targets-kinesis-stream-put-record.template.json
@@ -19,8 +19,8 @@
      ]
     }
    },
-   "UpdateReplacePolicy": "Retain",
-   "DeletionPolicy": "Retain"
+   "UpdateReplacePolicy": "Delete",
+   "DeletionPolicy": "Delete"
   },
   "Schedule83A77FD1": {
    "Type": "AWS::Scheduler::Schedule",
@@ -106,7 +106,6 @@
      "Statement": [
       {
        "Action": [
-        "kinesis:ListShards",
         "kinesis:PutRecord",
         "kinesis:PutRecords"
        ],

diff --git a/...snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.assets.json b/...snapshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.assets.json
diff --git a/...apshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json b/...apshot/integrationtestkinesisstreamputrecordDefaultTestDeployAssert6B5E163F.template.json
diff --git a/...ws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/manifest.json b/...ws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/manifest.json
diff --git a/...dk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/tree.json b/...dk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.js.snapshot/tree.json
diff --git a/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts b/packages/@aws-cdk/aws-scheduler-targets-alpha/test/integ.kinesis-stream-put-record.ts
@@ -21,6 +21,7 @@ const partitionKey = 'key';
 const stream = new Stream(stack, 'MyStream', {
   streamName,
   shardCount: 1,
+  removalPolicy: cdk.RemovalPolicy.DESTROY,
 });
 
 new scheduler.Schedule(stack, 'Schedule', {
@@ -58,4 +59,3 @@ getRecords.assertAtPath(
   totalTimeout: cdk.Duration.minutes(10),
 });
 
-app.synth();
diff --git a/...es/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts b/...es/@aws-cdk/aws-scheduler-targets-alpha/test/integ.sage-maker-start-pipeline-execution.ts
@@ -135,5 +135,3 @@ integrationTest.assertions.awsApiCall('Sagemaker', 'listPipelineExecutions', {
   interval: cdk.Duration.seconds(30),
   totalTimeout: cdk.Duration.minutes(10),
 });
-
-app.synth();
diff --git a/...r-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.assets.json b/...r-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.assets.json
diff --git a/...targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json b/...targets-alpha/test/integ.schedule-with-dlq.js.snapshot/aws-cdk-schedule-dlq.template.json
@@ -27,29 +27,23 @@
    "Properties": {
     "PolicyDocument": {
      "Statement": [
-      {
-       "Action": [
-        "sqs:GetQueueAttributes",
-        "sqs:GetQueueUrl",
-        "sqs:SendMessage"
-       ],
-       "Effect": "Allow",
-       "Resource": {
-        "Fn::GetAtt": [
-         "ScheduleTargetQueueFA42B954",
-         "Arn"
-        ]
-       }
-      },
       {
        "Action": "sqs:SendMessage",
        "Effect": "Allow",
-       "Resource": {
-        "Fn::GetAtt": [
-         "ScheduleDeadLetterQueue0D6B48D2",
-         "Arn"
-        ]
-       }
+       "Resource": [
+        {
+         "Fn::GetAtt": [
+          "ScheduleDeadLetterQueue0D6B48D2",
+          "Arn"
+         ]
+        },
+        {
+         "Fn::GetAtt": [
+          "ScheduleTargetQueueFA42B954",
+          "Arn"
+         ]
+        }
+       ]
       }
      ],
      "Version": "2012-10-17"

diff --git a/...dule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.assets.json b/...dule-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.assets.json
diff --git a/...le-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json b/...le-with-dlq.js.snapshot/integtestscheduledlqDefaultTestDeployAssertC769CF31.template.json
diff --git a/...ws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/manifest.json b/...ws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/manifest.json
diff --git a/...s/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/tree.json b/...s/@aws-cdk/aws-scheduler-targets-alpha/test/integ.schedule-with-dlq.js.snapshot/tree.json
diff --git a/...eduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.assets.json b/...eduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.assets.json
diff --git a/...uler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json b/...uler-targets-alpha/test/integ.sqs-send-message.js.snapshot/aws-cdk-schedule.template.json
@@ -92,11 +92,7 @@
     "PolicyDocument": {
      "Statement": [
       {
-       "Action": [
-        "sqs:GetQueueAttributes",
-        "sqs:GetQueueUrl",
-        "sqs:SendMessage"
-       ],
+       "Action": "sqs:SendMessage",
        "Effect": "Allow",
        "Resource": {
         "Fn::GetAtt": [

diff --git a/...s-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.assets.json b/...s-send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.assets.json
diff --git a/...send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.template.json b/...send-message.js.snapshot/integsqssendmessageDefaultTestDeployAssert883D0D33.template.json
diff --git a/...aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/manifest.json b/...aws-cdk/aws-scheduler-targets-alpha/test/integ.sqs-send-message.js.snapshot/manifest.json