custom-resource-handlers: IAM OIDC Provider reject unauthorized connection #32920
Comments
GavinZZ
added
bug
github-actions
bot
added
the
@aws-cdk/aws-iam
GavinZZ
added
p1
and removed
@aws-cdk/aws-iam
1 task
|
Comments on closed issues and PRs are hard for our team to see. |
1 similar comment
|
Comments on closed issues and PRs are hard for our team to see. |
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
moelasmar
pushed a commit
that referenced
this issue
Jan 24, 2025
…or iam OIDC connection (under feature flag) (#32921) ### Issue # (if applicable) Closes #32920 ### Reason for this change Follow security best practices to disable allow unauthorized connection ### Description of changes Create a new feature flag that starting in the new feature, we will disable unauthorized connections ### Describe any new or updated permissions being added N/A ### Description of how you validated changes New integ and unit tests. Updated old tests. ### Checklist - [ ] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md) ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license* (cherry picked from commit 3e4f377)
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Describe the bug
The current implementation allows unauthorized connection in IAM OIDC Provider. These options lead to vulnerability, and should not be used. Although this code is run in a custom resource lambda handler and there shouldn't be any real impact, we should still follow the best practice to reject unauthorized connections.
packages/@aws-cdk/custom-resource-handlers/lib/aws-iam/oidc-handler/external.ts
❯❱ problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
Checks for setting the environment variable NODE_TLS_REJECT_UNAUTHORIZED to 0, which disables TLS
verification. This should only be used for debugging purposes. Setting the option rejectUnauthorized
to false bypasses verification against the list of trusted CAs, which also leads to insecure
transport.
Regression Issue
Last Known Working CDK Version
No response
Expected Behavior
Reject unauthorized OIDC connection
Current Behavior
Allow unauthorized OIDC connection
Reproduction Steps
N/A
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
any
Framework Version
No response
Node.js Version
Node 20
OS
MacOs
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: