Merge pull request from GHSA-q4pp-j36h-3gqg

BohdanPetryshyn · web-flow · commit f6f218e7cd45 · 2023-08-23T19:49:43.000+02:00
fix: improve default basti connect iam policy
diff --git a/README.md b/README.md
@@ -307,7 +307,12 @@ Minimal policy:
       "Resource": [
         "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
         "arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"
-      ]
+      ],
+      "Condition": {
+          "BoolIfExists": {
+              "ssm:SessionDocumentAccessCheck": "true"
+          }
+      }
     }
   ]
 }
diff --git a/packages/basti-cdk/src/__test__/basti-instance.test.ts b/packages/basti-cdk/src/__test__/basti-instance.test.ts
@@ -282,6 +282,11 @@ describe('BastiInstanceTest', () => {
                 ],
               },
             ],
+            Condition: {
+              BoolIfExists: {
+                'ssm:SessionDocumentAccessCheck': 'true',
+              },
+            },
           },
         ],
       },
diff --git a/packages/basti-cdk/src/basti-instance.ts b/packages/basti-cdk/src/basti-instance.ts
@@ -225,6 +225,11 @@ export class BastiInstance extends Construct implements IBastiInstance {
       new aws_iam.PolicyStatement({
         actions: ['ssm:StartSession'],
         resources: [instanceArn, documentArn],
+        conditions: {
+          BoolIfExists: {
+            'ssm:SessionDocumentAccessCheck': 'true',
+          },
+        },
       })
     );
   }
diff --git a/packages/basti/README.md b/packages/basti/README.md
@@ -313,7 +313,12 @@ Minimal policy:
       "Resource": [
         "arn:aws:ssm:*:*:document/AWS-StartPortForwardingSessionToRemoteHost",
         "arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"
-      ]
+      ],
+      "Condition": {
+          "BoolIfExists": {
+              "ssm:SessionDocumentAccessCheck": "true"
+          }
+      }
     }
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -307,7 +307,12 @@ Minimal policy:`
`307`	`307`	`"Resource": [`
`308`	`308`	`"arn:aws:ssm:::document/AWS-StartPortForwardingSessionToRemoteHost",`
`309`	`309`	`"arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"`
`310`		`- ]`
	`310`	`+ ],`
	`311`	`+ "Condition": {`
	`312`	`+ "BoolIfExists": {`
	`313`	`+ "ssm:SessionDocumentAccessCheck": "true"`
	`314`	`+ }`
	`315`	`+ }`
`311`	`316`	`}`
`312`	`317`	`]`
`313`	`318`	`}`
Original file line number	Diff line number	Diff line change
`@@ -313,7 +313,12 @@ Minimal policy:`
`313`	`313`	`"Resource": [`
`314`	`314`	`"arn:aws:ssm:::document/AWS-StartPortForwardingSessionToRemoteHost",`
`315`	`315`	`"arn:aws:ec2:<your-region>:<your-account-id>:instance/<your-basti-instance-id>"`
`316`		`- ]`
	`316`	`+ ],`
	`317`	`+ "Condition": {`
	`318`	`+ "BoolIfExists": {`
	`319`	`+ "ssm:SessionDocumentAccessCheck": "true"`
	`320`	`+ }`
	`321`	`+ }`
`317`	`322`	`}`
`318`	`323`	`]`
`319`	`324`	`}`