Skip to content

fix(security): Don't decrypt all KMS keys by default #375

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 3 commits into from
Closed

fix(security): Don't decrypt all KMS keys by default #375

wants to merge 3 commits into from

Conversation

@dev-slatto
Copy link
Contributor

@dev-slatto dev-slatto commented Apr 21, 2023

Description

As of #349 a pretty large security vulnerability was introduced to the iam-role-for-service-accounts-eks module that by default allows full decryption off all KMS keys within the account that it's implemented in. In the release notes it was noted as a fix and not a new feature. For the naked eye this can indicate that it's a fix in some existing feature that they might not be using, when the reality is that it opened up a backdoor to all KMS keys if you use the External Secrets role.

Motivation and Context

I've changed the default here to be an empty array to focus on closing this security vulnerability first. I'll try to make some time to implement the condition object to the kms:decrypt statement later on.

Breaking Changes

This might be a breaking changes for those that have already implemented the security vulnerability and should be noted as such in the release documentation.

How Has This Been Tested?

  • I have updated at least one of the examples/* to demonstrate and validate my change(s)
  • I have tested and validated these changes using one or more of the provided examples/* projects
  • I have executed pre-commit run -a on my pull request

@dev-slatto
Copy link
Contributor Author

dev-slatto commented Apr 21, 2023

Hey @antonbabenko @bryantbiggs! 👋🏻
Could you guys have a look at this as soon as possible as it might resolve quite a large vulnerability? 😄

As of now it dosen't resolve the issue to set the variable to an empty list or string as the statement block isn't dynamic and therefore generates a IAM policy statement that's not valid. A work around is to put in a random KeyId that's not in your account.

@bryantbiggs
Copy link
Member

bryantbiggs commented Apr 21, 2023

We can switch to a dynamic block to all users to disable, but the default value should stay. Also, this is not a security vulnerability - it may be more permission than what's necessary but that's it

@dev-slatto
Copy link
Contributor Author

dev-slatto commented Apr 21, 2023

One could agree with that, but with keeping the default value if violates AWS Key Management Service Best
Practices (see section regarding Least Privilege / Separation of Duties).

If you still want to keep the default value I can change that one back in this PR, but it should be mentioned somewhere that by keeping the default value your might put your account at risk.

@github-actions
Copy link

github-actions bot commented May 22, 2023

This PR has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this PR will be closed in 10 days

@github-actions github-actions bot added the stale label May 22, 2023
@github-actions
Copy link

github-actions bot commented Jun 1, 2023

This PR was automatically closed because of stale in 10 days

@github-actions github-actions bot closed this Jun 1, 2023
@github-actions
Copy link

github-actions bot commented Jul 1, 2023

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jul 1, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dev-slatto @bryantbiggs