Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

aws-route53: restrict domain names in cross-account delegation #28078

Open
1 of 2 tasks
marcogrcr opened this issue Nov 21, 2023 · 0 comments
Open
1 of 2 tasks

aws-route53: restrict domain names in cross-account delegation #28078

marcogrcr opened this issue Nov 21, 2023 · 0 comments
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3

Comments

@marcogrcr
Copy link

marcogrcr commented Nov 21, 2023
edited
Loading

Describe the feature

IHostedZone has a convenient grantDelegation() method for granting an IAM role the necessary permissions for cross-account delegation. I would like to be able to restrict the names of the NS records that the grantee role can UPSERT and DELETE.

Use Case

Take the following infrastructure:

  • Root account: example.com
  • Beta account: beta.example.com
  • Prod account: prod.example.com

I want to make sure that the IAM role assumed from the Beta account can only UPSERT and DELETE the NS record beta.example.com and not prod.example.com. This way I can be certain that if the Beta account is compromised, there will be no impact to the production domain.

Proposed Solution

Add a backwards compatible parameter to grantDelegation() that would allow a user to optionally add this restriction. For example:

const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
  zoneName: 'example.com',
});

const betaCrossAccountRole = new iam.Role(this, 'BetaCrossAccountRole', {
  // ...
});
parentZone.grantDelegation(betaCrossAccountRole, route53.DelegationGrantNames.ofEquals('beta.example.com'));

const prodCrossAccountRole = new iam.Role(this, 'ProdCrossAccountRole', {
  // ...
});
parentZone.grantDelegation(prodCrossAccountRole, route53.DelegationGrantNames.ofEquals('prod.example.com'));

Internally, the grant would add the route53:ChangeResourceRecordSetsNormalizedRecordNames condition key with the specified names.

The DelegationGrantNames is a new class that allows the user to specify exact name matching (i.e. ForAllValues:StringEquals) or pattern matching (i.e. ForAllValues:StringLike). It's design would be based on the pattern used by aws-cdk-lib » aws_dynamodb » Billing:

For example:

abstract class DelegationGrantNames {
  public static ofEquals(...names: string[]): DelegationGrantNames;
  public static ofLike(...names: string[]): DelegationGrantNames;
}

Other Information

No response

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.110.0

Environment details (OS name and version, etc.)

Apple Silicon / macOS 14.1.1 / nodejs 20.9.0
@marcogrcr marcogrcr added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2023
@github-actions github-actions bot added the @aws-cdk/aws-route53 Related to Amazon Route 53 label Nov 21, 2023
marcogrcr added a commit to marcogrcr/aws-cdk that referenced this issue Nov 21, 2023
@marcogrcr
feat(route53): add DelegationGrantNames
f7c5109 
Adds a backwards compatible parameter to `IHostedZone.grantDelegation()`
in order to restrict the `NS` records with `UPSERT`/`DELETE` access.

This addresses aws#28078
@marcogrcr marcogrcr mentioned this issue Nov 21, 2023
Closed
marcogrcr added a commit to marcogrcr/aws-cdk that referenced this issue Nov 21, 2023
@marcogrcr
feat(route53): add DelegationGrantNames
ef6dd02 
Adds a backwards compatible parameter to `IHostedZone.grantDelegation()`
in order to restrict the `NS` records with `UPSERT`/`DELETE` access.

This addresses aws#28078
@marcogrcr marcogrcr mentioned this issue Nov 21, 2023
Closed
@marcogrcr marcogrcr changed the title aws-route53: allow to restrict the domain names in cross-account delegation aws-route53: restrict domain names in cross-account delegation Nov 21, 2023
@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Nov 21, 2023
@github-actions github-actions bot mentioned this issue Dec 1, 2023
Closed
@pahud pahud added p3 and removed p2 labels Jun 11, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 effort/medium Medium work item – several days of effort feature-request A feature should be added or improved. p3
Projects
None yet
Milestone
No milestone
2 participants
@pahud @marcogrcr