docs(permissions): align PERMISSIONS.md with what the developer policy actually grants#1696
Conversation
Package TarballHow to installgh release download pr-1696-tarball --repo aws/agentcore-cli --pattern "*.tgz" --dir /tmp/pr-tarball
npm install -g /tmp/pr-tarball/aws-agentcore-0.22.0.tgz |
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Thanks for putting together a thorough audit — the SID-by-SID mapping and the destroy CLI command that doesn't exist (the CLI uses remove / remove all). See the two inline comments — they're the same nit in two places.
Everything else I spot-checked (all Sids present in iam-policy-user.json, every action in AgentCoreResourceManagement / HttpGatewayIamRoleManagement / CustomJwtCognitoSetup / HarnessManagement / ConfigBundleManagement / SecretsManager accounted for in the new reference tables, anchor links resolve including the two ### CloudFormation headers disambiguating cleanly, and the new BedrockModelInvocation rows match the policy) looked accurate.
Coverage Report
|
…n actually grants The developer policy (docs/policies/iam-policy-user.json) drifted well beyond what PERMISSIONS.md described, after #1092 synced the e2e test runner's permission set into the shipped customer policy. Statements like HttpGatewayIamRoleManagement (iam:CreateRole/PassRole on role/AgentCore-*), CloudFormationFull (cloudformation:*), a broad SecretsManager grant on *, AgentCoreResourceManagement, HarnessManagement/HarnessPassRole (iam:PassRole on role/*), CustomJwtCognitoSetup, ConfigBundleManagement, and the ImportTest* test statements were all undocumented. This documents every statement the policy actually grants: - Expands the high-level bullet list and adds an explicit warning that the policy is a permissive superset (shared with the e2e suite), not a least-privilege policy, and can enable privilege escalation via IAM role creation. - Adds reference tables for AgentCore resource management, configuration bundles, harnesses, full CloudFormation, HTTP gateway IAM role management, Custom JWT/Cognito setup, the broad Secrets Manager grant, and the e2e-only test statements. - Extends the 'Scoping down by feature' table so admins can trim the now-documented statements toward least privilege. Closes #1683
4f9dd96 to
b3fcfcc
Compare
|
Claude Security Review: no high-confidence findings. (run) |
agentcore-cli-automation
left a comment
There was a problem hiding this comment.
Verified this against origin/main's docs/policies/iam-policy-user.json:
- All 31
Sids in the policy are either newly documented here or already covered by pre-existing sections (CloudFormationTemplateVerificationis subsumed by the newCloudFormationFullcoverage, and the duplicateBatchEvalAndRecommendation/BatchEvalAndRecommendationsSids are both covered by the existing Batch evaluation section). - Action lists in the new tables (
AgentCoreResourceManagement,HttpGatewayIamRoleManagement,HarnessManagement/HarnessPassRole,ConfigBundleManagement,CustomJwtCognitoSetup,SecretsManager,ImportTest*) match the policy exactly, including resource scopes and theiam:PassedToServiceconditions. - Anchor links resolve. The two
### CloudFormationheadings disambiguate cleanly —#cloudformationresolves to the CFN-execution-role narrow-actions section (which is the intended target of the "narrowcloudformation:*toward the specific actions listed under…" pointer at line 198), and the new full-lifecycle section gets#cloudformation-full-lifecycle. - The privilege-escalation callout accurately reflects that
HttpGatewayIamRoleManagement(iam:CreateRole+iam:PutRolePolicyonrole/AgentCore-*) combined withHarnessPassRole(iam:PassRoleonrole/*) is a real escalation path worth flagging.
No new serious issues from me. The one open thread I'd flag — the destroy → remove factual issue in the CLI Commands column at line 551 — is already covered by the earlier inline comment from agentcore-cli-automation. The author's reply about CFN vocabulary is fair for the prose at line 52, but the column at line 551 is explicitly labeled "CLI Commands" and the CLI doesn't have a destroy command (there's even a regression test in src/cli/commands/deploy/__tests__/deploy-teardown.test.ts asserting this), so that one still stands. Deferring to the author on how to handle since it's already been raised.
Approving — docs-only, accurate, no blockers beyond what's already been surfaced.
Summary
Fixes #1683.
docs/PERMISSIONS.mddescribed the developer policy (docs/policies/iam-policy-user.json) as a narrow, least-privilege set, but the policy actually grants far more — including IAM role creation,cloudformation:*, and unscoped Secrets Manager access. This PR aligns the documentation with what the policy actually grants.Root cause
The drift was introduced by #1092 ("fix: sync e2e IAM policy"), which merged the end-to-end test runner's permission set into the shipped customer-facing policy (+164 lines). That pulled in statements that were never documented:
HttpGatewayIamRoleManagement—iam:CreateRole/DeleteRole/PutRolePolicy/PassRoleonrole/AgentCore-*(the escalation path the reporter flagged)HarnessManagement/HarnessPassRole—iam:PassRoleonrole/*CloudFormationFull—cloudformation:*on*SecretsManager—secretsmanager:GetSecretValue/CreateSecret/DeleteSecreton*AgentCoreResourceManagement,CustomJwtCognitoSetup,ConfigBundleManagementImportTestIam/ImportTestPassRole/ImportTestS3— pure e2e test scaffolding (role/bugbash-agentcore-role)What this PR does (docs only)
Testing
Sidiniam-policy-user.jsonis now represented inPERMISSIONS.md.printWidth: 120,proseWrap: always).