Commit d03c6d3
authored
Restrict Glue IAM permissions for pivot role (data-dot-all#1189) and Restrict RAM IAM permissions in pivot role data-dot-all#1195 (data-dot-all#1853)
# Restrict Glue IAM permissions for pivot role
**Fixes:** data-dot-all#1189 (data-dot-all#1189)
data-dot-all#1195 (data-dot-all#1195)
## Summary data-dot-all#1189
Replaced wildcard Glue actions and resources with specific permissions
to address Checkov CKV_AWS_111 security violations while maintaining
full functionality and preserving the Lake Formation governance model.
---
## Changes Made
### Security Improvements
1. **Scoped Glue resources to account level:**
- **Before:** `resources=['*']` (global wildcard)
- **After:**
```python
iam.PolicyStatement(
sid='GlueCatalog',
effect=iam.Effect.ALLOW,
actions=[
'glue:BatchGetPartition',
'glue:GetDatabase',
'glue:GetDatabases',
'glue:GetTable',
'glue:GetTables',
'glue:GetPartition',
'glue:GetPartitions',
'glue:GetCatalogImportStatus',
'glue:ListDatabases',
'glue:ListTables',
'glue:ListPartitions',
'glue:SearchTables',
'glue:UpdateDatabase',
'glue:UpdatePartition',
'glue:UpdateTable',
'glue:TagResource',
'glue:DeleteResourcePolicy',
'glue:PutResourcePolicy',
],
resources=[
f'arn:aws:glue:*:{self.account}:catalog',
f'arn:aws:glue:*:{self.account}:database/*',
f'arn:aws:glue:*:{self.account}:table/*/*',
],
)
2. **Lake Formation Permissions**
- **Before:** `resources=['*']` (global wildcard)
- **After:** : Scoped to explicitly listed ARNs for:
- Catalog
- Databases
- Tables
- Data locations
- LF tags
```python
iam.PolicyStatement(
sid='LakeFormation',
effect=iam.Effect.ALLOW,
actions=[
'lakeformation:UpdateResource',
'lakeformation:DescribeResource',
'lakeformation:AddLFTagsToResource',
'lakeformation:RemoveLFTagsFromResource',
'lakeformation:GetResourceLFTags',
'lakeformation:ListLFTags',
'lakeformation:CreateLFTag',
'lakeformation:GetLFTag',
'lakeformation:UpdateLFTag',
'lakeformation:DeleteLFTag',
'lakeformation:SearchTablesByLFTags',
'lakeformation:SearchDatabasesByLFTags',
'lakeformation:ListResources',
'lakeformation:ListPermissions',
'lakeformation:GrantPermissions',
'lakeformation:BatchGrantPermissions',
'lakeformation:RevokePermissions',
'lakeformation:BatchRevokePermissions',
'lakeformation:PutDataLakeSettings',
'lakeformation:GetDataLakeSettings',
'lakeformation:GetDataAccess',
'lakeformation:GetWorkUnits',
'lakeformation:StartQueryPlanning',
'lakeformation:GetWorkUnitResults',
'lakeformation:GetQueryState',
'lakeformation:GetQueryStatistics',
'lakeformation:GetTableObjects',
'lakeformation:UpdateTableObjects',
'lakeformation:DeleteObjectsOnCancel',
],
resources=[
f'arn:aws:lakeformation:{self.region}:{self.account}:catalog',
f'arn:aws:lakeformation:{self.region}:{self.account}:catalog:{self.account}',
f'arn:aws:lakeformation:{self.region}:{self.account}:database/*',
f'arn:aws:lakeformation:{self.region}:{self.account}:table/*/*',
f'arn:aws:lakeformation:{self.region}:{self.account}:data-location/*',
f'arn:aws:lakeformation:{self.region}:{self.account}:lf-tag/*',
],
)
```
3. **Glue ETL permissions**
**Before:**
- No explicit permissions (it worked because of `glue:*`)
**After:**
```json
"Action": [
"glue:StartCrawler",
"glue:StartJobRun",
"glue:StartTrigger",
"glue:UpdateTrigger",
"glue:UpdateJob",
"glue:UpdateCrawler",
"glue:GetCrawler"
]
```
4. ** Changes Made **
`dataall/backend/dataall/modules/s3_datasets/cdk/pivot_role_datasets_policy.py`
5. ** Security Impact **
- Resolves Checkov CKV_AWS_111 violations for pivot role policy
- Eliminates cross-account access (resources scoped to account)
- Prevents access to unrelated Glue resources in other accounts
- Maintains account-level operational flexibility for database
management
- Preserves Lake Formation governance (LF controls actual data access)
6. ** Testing **
- Checkov scan passes for pivot role policy (CKV_AWS_111)
- Dataset creation/import workflows verified functional
- Lake Formation permissions remain intact
- Cross-account isolation verified
7. ** Backward Compatibility **
- No breaking changes – all existing functionality preserved
- No configuration changes required
- Deployment safe – tested with import dataset workflows
** Validation Process **
- Got my AWS credentials loaded into my terminal.
- Performed cdk synth, which created the cdk.out folder with all
deployment files.
- From the producer AWS environment account (with S3 bucket, Glue DB,
etc.), copied all the Pivot Role’s YAML policies from the Pivot Role’s
CF stack and pasted them into my data.all working directory.
- From the same account, copied the dataset YAML file and the
environment’s YAML file and pasted them into my data.all working
directory.
- Temporarily removed/replaced the checkov.baseline file.
- Performed the Checkov command to scan all the files and check the
findings.
- Filtered on all CKV_AWS_111 findings.
- Pasted all findings into a .txt or .doc file and shared with
@TejasRGitHub .
** Validation Commands: **
```
➜ dataallforked git:(chkovfx-glue-1189) ✗ # Verify NO Glue/KMS/LakeFormation failures remain
echo "=== CKV_AWS_111 Glue/KMS/LakeFormation Validation ==="
echo "Dataset Template Glue/KMS failures:"
grep -A1 "CKV_AWS_111" dataset_template.out | grep "FAILED" | grep -E "(glue|kms|lakeformation)" || echo "NONE"
echo "Environment Template Glue/KMS failures:"
grep -A1 "CKV_AWS_111" data-all-env-template.out | grep "FAILED" | grep -E "(glue|kms|lakeformation)" || echo "NONE"
echo "Pivot Role Template Glue/KMS failures:"
grep -A1 "CKV_AWS_111" data-all-pivot-role-template.out | grep "FAILED" | grep -E "(glue|kms|lakeformation)" || echo "NONE"
=== CKV_AWS_111 Glue/KMS/LakeFormation Validation ===
Dataset Template Glue/KMS failures:
NONE
Environment Template Glue/KMS failures:
NONE
Pivot Role Template Glue/KMS failures:
NONE
```
## Summary data-dot-all#1195
The policy restricts resource sharing to specific, same-account
LakeFormation and environment-prefixed shares, with
ram:EnableSharingWithAwsOrganization further constrained by region.
---
## Changes Made
### Security Improvements
### Before
```python
iam.PolicyStatement(
sid='RamInvitations',
effect=iam.Effect.ALLOW,
actions=[
'ram:AcceptResourceShareInvitation',
'ram:RejectResourceShareInvitation',
'ram:EnableSharingWithAwsOrganization',
],
resources=['*'], # Unrestricted
)
```
### After
```python
iam.PolicyStatement(
sid='RamInvitations',
effect=iam.Effect.ALLOW,
actions=[
'ram:AcceptResourceShareInvitation',
'ram:RejectResourceShareInvitation'
],
resources=[f'arn:aws:ram:*:{self.account}:resource-share-invitation/*'], # Scoped
conditions={
'StringEquals': {
'aws:ResourceAccount': [f'{self.account}']
},
'ForAllValues:StringLike': {
'ram:ResourceShareName': ['LakeFormation*', f'{self.env_resource_prefix}*']
}
},
)
```
## Changes
- Resource Scoping: Limited to specific resource-share-invitation ARNs
within the account.
- Account Restriction: Added aws:ResourceAccount condition to prevent
cross-account abuse.
- Resource Share Filtering: Restricted to LakeFormation and
environment-prefixed shares only.
- Action Separation: Moved ram:EnableSharingWithAwsOrganization to a
separate statement with region constraints.
## Files Updated
-
backend/dataall/modules/s3_datasets_shares/cdk/pivot_role_data_sharing_policy.py
– Security constraints applied.
## Verification Results
- Checkov Scan: CDK-generated pivot role template passes all security
checks.
- 30 checks passed, 0 RAM permission violations.
- CKV_AWS_111 and CKV_AWS_109 compliance confirmed.
- All RAM actions properly constrained with conditions.1 parent 4acd7ae commit d03c6d3
2 files changed
Lines changed: 32 additions & 7 deletions
Lines changed: 25 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
50 | 50 | | |
51 | 51 | | |
52 | 52 | | |
53 | | - | |
54 | | - | |
55 | | - | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
56 | 64 | | |
57 | 65 | | |
58 | 66 | | |
| |||
61 | 69 | | |
62 | 70 | | |
63 | 71 | | |
64 | | - | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
65 | 77 | | |
66 | 78 | | |
67 | 79 | | |
| |||
98 | 110 | | |
99 | 111 | | |
100 | 112 | | |
101 | | - | |
| 113 | + | |
| 114 | + | |
| 115 | + | |
| 116 | + | |
| 117 | + | |
| 118 | + | |
| 119 | + | |
| 120 | + | |
102 | 121 | | |
103 | 122 | | |
104 | 123 | | |
| |||
111 | 130 | | |
112 | 131 | | |
113 | 132 | | |
| 133 | + | |
114 | 134 | | |
115 | 135 | | |
116 | 136 | | |
| |||
Lines changed: 7 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
102 | 102 | | |
103 | 103 | | |
104 | 104 | | |
105 | | - | |
106 | 105 | | |
107 | | - | |
| 106 | + | |
| 107 | + | |
| 108 | + | |
| 109 | + | |
| 110 | + | |
| 111 | + | |
| 112 | + | |
108 | 113 | | |
109 | 114 | | |
110 | 115 | | |
| |||
0 commit comments