Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws-route53: Include CrossAccountRole scope-down guidance #28596

Closed
miiiak opened this issue Jan 5, 2024 · 4 comments · Fixed by #28624
Closed

aws-route53: Include CrossAccountRole scope-down guidance #28596

miiiak opened this issue Jan 5, 2024 · 4 comments · Fixed by #28624
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p2

Comments

@miiiak
Copy link
Contributor

miiiak commented Jan 5, 2024

Describe the issue

The Cross Account Zone Delegation guidance includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance.

E.g.

const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  // The role name must be predictable
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
});

should be more like:

const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      // The role name must be predictable
      roleName: 'MyDelegationRole',
      // The other account
      assumedBy: new iam.AccountPrincipal('12345678901'),
      // You can scope down this role policy to be least privileged.
      // If you want the other account to be able to manage specific records,
      // you can scope down by resource and/or normalized record names
      inlinePolicies: {
        "crossAccountPolicy": new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              sid: "ListHostedZonesByName",
              effect: iam.Effect.ALLOW,
              actions: ["route53:ListHostedZonesByName"],
              resources: ["*"]
            }),
            new iam.PolicyStatement({
              sid: "GetHostedZoneAndChangeResourceRecordSet",
              effect: iam.Effect.ALLOW,
              actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
              // This example assumes the RecordSet subdomain.somexample.com 
              // is contained in the HostedZone
              resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"],
              conditions: {
                "ForAllValues:StringLike": {
                  "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                  "subdomain.someexample.com"
                ]

                }
              }
            })
    });

Links

https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_route53-readme.html#cross-account-zone-delegation
@miiiak miiiak added documentation This is a problem with documentation. needs-triage This issue or PR still needs to be triaged. labels Jan 5, 2024
@github-actions github-actions bot added the @aws-cdk/aws-route53 Related to Amazon Route 53 label Jan 5, 2024
@miiiak
Copy link
Contributor Author

miiiak commented Jan 5, 2024
edited
Loading

Worth noting I work at AWS, alias tjbryant. Working on a PR, but I wanted to follow the process and submit an issue.

@pahud
Copy link
Contributor

pahud commented Jan 8, 2024

Yes we should always scope down the policies when necessary.

I guess we can improve here?

aws-cdk/packages/aws-cdk-lib/aws-route53/README.md

Lines 182 to 227 in fdf4830

### Cross Account Zone Delegation
If you want to have your root domain hosted zone in one account and your subdomain hosted
zone in a diferent one, you can use `CrossAccountZoneDelegationRecord` to set up delegation
between them.
In the account containing the parent hosted zone:
```ts
const parentZone = new route53.PublicHostedZone(this, 'HostedZone', {
zoneName: 'someexample.com',
});
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
// The role name must be predictable
roleName: 'MyDelegationRole',
// The other account
assumedBy: new iam.AccountPrincipal('12345678901'),
});
parentZone.grantDelegation(crossAccountRole);
```
In the account containing the child zone to be delegated:
```ts
const subZone = new route53.PublicHostedZone(this, 'SubZone', {
zoneName: 'sub.someexample.com',
});
// import the delegation role by constructing the roleArn
const delegationRoleArn = Stack.of(this).formatArn({
region: '', // IAM is global in each partition
service: 'iam',
account: 'parent-account-id',
resource: 'role',
resourceName: 'MyDelegationRole',
});
const delegationRole = iam.Role.fromRoleArn(this, 'DelegationRole', delegationRoleArn);
// create the record
new route53.CrossAccountZoneDelegationRecord(this, 'delegate', {
delegatedZone: subZone,
parentHostedZoneName: 'someexample.com', // or you can use parentHostedZoneId
delegationRole,
});
```

@pahud pahud added p2 effort/medium Medium work item – several days of effort and removed needs-triage This issue or PR still needs to be triaged. labels Jan 8, 2024
miiiak added a commit to miiiak/aws-cdk that referenced this issue Jan 9, 2024
@miiiak
[aws/aws-cdk] aws-route53: Include CrossAccountRole scope-down guida…
e4088a5 
…nce (Issue aws#28596)
@miiiak miiiak mentioned this issue Jan 9, 2024
Merged
@miiiak
Copy link
Contributor Author

miiiak commented Jan 9, 2024

Correct Pahud, that's my proposal. PR added #28624

@mergify mergify bot closed this as completed in #28624 Jan 10, 2024
mergify bot pushed a commit that referenced this issue Jan 10, 2024
@miiiak
docs(route53): crossaccountrole scope-down guidance (#28624)
0cada61 
Reference [issue 28596](#28596)

The motivation is to help CDK builders understand how to take advantage of IAM scope-down capabilities to ensure least-privilege cross-account role access related to cross account zone delegation.

The Cross Account Zone Delegation guidance currently includes reference to creating a crossAccountRole, but provides no suggestion on how to safely scope down the role for least-privilege access. We can and should provide this guidance.

E.g.
```
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
  // The role name must be predictable
  roleName: 'MyDelegationRole',
  // The other account
  assumedBy: new iam.AccountPrincipal('12345678901'),
});
```
should be more like:
```
const crossAccountRole = new iam.Role(this, 'CrossAccountRole', {
      // The role name must be predictable
      roleName: 'MyDelegationRole',
      // The other account
      assumedBy: new iam.AccountPrincipal('12345678901'),
      // You can scope down this role policy to be least privileged.
      // If you want the other account to be able to manage specific records,
      // you can scope down by resource and/or normalized record names
      inlinePolicies: {
        "crossAccountPolicy": new iam.PolicyDocument({
          statements: [
            new iam.PolicyStatement({
              sid: "ListHostedZonesByName",
              effect: iam.Effect.ALLOW,
              actions: ["route53:ListHostedZonesByName"],
              resources: ["*"]
            }),
            new iam.PolicyStatement({
              sid: "GetHostedZoneAndChangeResourceRecordSet",
              effect: iam.Effect.ALLOW,
              actions: ["route53:GetHostedZone", "route53:ChangeResourceRecordSet"],
              // This example assumes the RecordSet subdomain.somexample.com 
              // is contained in the HostedZone
              resources: ["arn:aws:route53:::hostedzone/HZID00000000000000000"],
              conditions: {
                "ForAllValues:StringLike": {
                  "route53:ChangeResourceRecordSetsNormalizedRecordNames": [
                  "subdomain.someexample.com"
                ]

                }
              }
            })
    });
```
Closes #28596.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
@github-actions GitHub Actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

@github-actions github-actions bot mentioned this issue Feb 1, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
@aws-cdk/aws-route53 Related to Amazon Route 53 documentation This is a problem with documentation. effort/medium Medium work item – several days of effort p2
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs(route53): crossaccountrole scope-down guidance miiiak/aws-cdk
2 participants
@pahud @miiiak