Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[@aws_cdk.aws_backup]: BackupSelection default role policy #27900

Closed
2 tasks
annguyen36 opened this issue Nov 8, 2023 · 2 comments · Fixed by #27925
Closed
2 tasks

[@aws_cdk.aws_backup]: BackupSelection default role policy #27900

annguyen36 opened this issue Nov 8, 2023 · 2 comments · Fixed by #27925
Labels
@aws-cdk/aws-backup Related AWS Backup effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2

Comments

@annguyen36
Copy link

annguyen36 commented Nov 8, 2023
edited
Loading

Describe the feature

When creating the BackupSelection L2 construct, it allows to specify allowRestores and role props.
These 2 props will add to the Role (either specified role or auto-create by this construct) the following 2 AWS managed polices:

  • allowRestores: true > add by default: AWSBackupServiceRolePolicyForRestores
  • role specified or not specify > by default will have: AWSBackupServiceRolePolicyForBackup

I request having the default policy AWSBackupServiceRolePolicyForBackup removed
OR, to have an option to specify the policy for S3 backup only, that way we can easier specify the least-privilege policy that need for S3 service backup and restore:
AWSBackupServiceRolePolicyForRestores
AWSBackupServiceRolePolicyForS3Backup

Use Case

The case is when

  • create a BackupSelection for S3 service
  • the role either not specify to let it be created by default, or defined in the same stack
  • and we need a least privilege permission for this role in place to only allow S3 action.

Currently, by default, the role will have AWSBackupServiceRolePolicyForBackup added which has dynamodb, rds and other services permissions.

Proposed Solution

Currently, as a workaround, I raw override the ManagedPolicyArns to specified only 2 polices for S3 above:

    const plan = backup.BackupPlan.dailyWeeklyMonthly5YearRetention(this, 'Plan');
    const role = new iam.Role(this, 'backupRole', {
      assumedBy: new iam.ServicePrincipal('backup.amazonaws.com')
    })
    const backupSelection = new backup.BackupSelection(this, 'MyBackupSelection', {
      backupPlan: plan,
      resources: [
        backup.BackupResource.fromArn('arn:aws:s3:::my-test-bucket')
      ],
      backupSelectionName: 'backupSelection',
      role: role,
    });
    var json_list = ['arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Backup','arn:aws:iam::aws:policy/AWSBackupServiceRolePolicyForS3Restore']
    const overwrite_defined_cfn_role = backupSelection.stack.node.findChild('backupRole').node.findChild('Resource') as iam.CfnRole
    overwrite_defined_cfn_role.addOverride('Properties.ManagedPolicyArns',json_list)

Other Information

Found a somewhat similar issue here #25669, but the mutable is for importing existing role only.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.87.0

Environment details (OS name and version, etc.)

AL2
@annguyen36 annguyen36 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 8, 2023
@github-actions github-actions bot added the @aws-cdk/aws-backup Related AWS Backup label Nov 8, 2023
@khushail
Copy link
Contributor

khushail commented Nov 9, 2023

thanks @annguyen36 for reporting this.

@khushail khushail added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 9, 2023
@go-to-k go-to-k mentioned this issue Nov 10, 2023
Merged
@mergify mergify bot closed this as completed in #27925 Nov 21, 2023
mergify bot pushed a commit that referenced this issue Nov 21, 2023
@go-to-k
feat(backup): add disableDefaultBackupPolicy property to selection (#…
55ffb3c 
…27925)

This PR adds a new property `disableDefaultBackupPolicy` for `BackupSelection`. Setting this to true (a default value is  false) disables the default role policy `AWSBackupServiceRolePolicyForBackup` attachment.

Closes #27900.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-backup Related AWS Backup effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(backup): add disableDefaultBackupPolicy property to selection go-to-k/aws-cdk
2 participants
@annguyen36 @khushail