Comments (4)
OK, thank you!
from cloudfront-authorization-at-edge.
Hi @zolaer9527
Thanks for the report. Here's our findings:
You mention as first step executing this from CloudShell:
aws sts assume-role --role-arn "arn:aws:iam::747955086145:role/serverlessrepo-cloudfront-LambdaCodeUpdateHandlerR-MTRLVJ4XJCPJ" --role-session-name CLISession
But that is impossible, because that role can only be assumed by the AWS Lambda service (via the trust relationships of the role), so you must have already altered the trust relationship of the role to allow the role to be assumed by your AWS console user?
Here is the definition of the Lambda function:
cloudfront-authorization-at-edge/template.yaml
Line 1144 in 1adb1ed
You can indeed log the credentials from a Lambda function, and then use those credentials to do what the Lambda function is allowed to do. Normally you wouldn't do this, but as developer with admin privileges you could if you wanted to. There's no surprise there though? Note that this requires you to alter the Lambda function code, to add that logging. Threat actors would not be able to do that.
I believe your scenario is not a plausible threat, unless your AWS account is compromised (in which case you have more pressing concerns):
- Threat actors do not have access to update the trust relationships of the role
- Threat actors cannot assume the role from AWS CloudShell without already being in the AWS console, and having AWS credentials with which they can do very bad things (assuming roles that they weren't supposed to assume)
- Threat actors cannot alter the Lambda function code without already having AWS credentials with which they can do very bad things (changing Lambda function code)
Back to the role itself: the permissions it has are necessary and required for deployment of the solution with CloudFormation. It needs "lambda:UpdateFunctionCode"
the permission.
You are right that Lambda function code signing is an option to ensure with great confidence that only code you trust is deployed to Lambda––if you require that level of assurance. This however is beyond the scope of this sample solution. If you want to add it, you can take this sample solution and tweak it to suit your needs.
I will close this issue, let us know if the above didn't address your concern satisfactorily.
from cloudfront-authorization-at-edge.
Hello @ottokruse, in the trust relationships of the role, I find the principal is "Service": "lambda.amazonaws.com"
. Does this mean that the role can be assumed by all AWS Lambda functions? If not, how does the AWS implement one-on-one binding between a function and a role?
from cloudfront-authorization-at-edge.
Does this mean that the role can be assumed by all AWS Lambda functions
Yes, but only by Lambda functions within the account.
from cloudfront-authorization-at-edge.
Related Issues (20)
- Unable to change the code and update deployment HOT 8
- Issues with the refresh endpoint endlessly redirecting after signin HOT 33
- CloudFormation did not receive a response from your Custom Resource HOT 19
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) HOT 2
- Refresh issue after token expires HOT 8
- On signout Required String parameter 'redirect_uri' is not present HOT 5
- Possible Open Redirect (CWE-601) in sample code HOT 2
- nonce cookies are not expired HOT 1
- [Feature request] Support multiple Cognito user pool clients HOT 4
- custom domain is not redirecting to cognito hosted ui HOT 1
- Getting blocked by CORS policy but unable to figure out the source HOT 5
- Node version bump HOT 7
- Custom IDP with Amplify and Auth at Edge HOT 9
- Fail on delete of the stack HOT 3
- Function must be in an Active state error on deploying the solution HOT 7
- Errors from Lambda when destroiyng the stack HOT 2
- Cognito TAGS HOT 1
- How Do I add User Pool attributes to Cookies? HOT 1
- Having the ability to tune logs HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cloudfront-authorization-at-edge.