From dc5027b7b9b6272b0cf54a6913f82eeb93ba63f0 Mon Sep 17 00:00:00 2001 From: Daniel Van Der Ploeg Date: Wed, 29 Nov 2023 10:13:08 +1030 Subject: [PATCH 01/10] feat: add base cognito permissions --- packages/serverless-deploy-iam/bin/app.ts | 66 +++++++++++++++++++++++ 1 file changed, 66 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 6383826..e98f3dc 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -294,6 +294,71 @@ export class ServiceDeployIAM extends cdk.Stack { "sqs:ListDeadLetterSourceQueues", "sqs:CreateQueue", ] + }, + { + name: 'COGNITO', + prefix: `arn:aws:cognito-sync:${region}:${accountId}:identitypool/`, + qualifiers: [`${serviceName}*`], + actions: [ + "cognito-sync:BulkPublish", + "cognito-sync:DeleteDataset", + "cognito-sync:DescribeDataset", + "cognito-sync:DescribeIdentityPoolUsage", + "cognito-sync:DescribeIdentityUsage", + "cognito-sync:GetBulkPublishDetails", + "cognito-sync:GetCognitoEvents", + "cognito-sync:GetIdentityPoolConfiguration", + "cognito-sync:ListDatasets", + "cognito-sync:ListIdentityPoolUsage", + "cognito-sync:ListRecords", + "cognito-sync:QueryRecords", + "cognito-sync:RegisterDevice", + "cognito-sync:SetCognitoEvents", + "cognito-sync:SetDatasetConfiguration", + "cognito-sync:SetIdentityPoolConfiguration", + "cognito-sync:SubscribeToDataset", + "cognito-sync:UnsubscribeFromDataset", + "cognito-sync:UpdateRecords", + "cognito-identity:CreateIdentityPool", + "cognito-identity:DeleteIdentities", + "cognito-identity:DeleteIdentityPool", + "cognito-identity:DescribeIdentity", + "cognito-identity:DescribeIdentityPool", + "cognito-identity:GetCredentialsForIdentity", + "cognito-identity:GetId", + "cognito-identity:GetIdentityPoolRoles", + "cognito-identity:GetOpenIdToken", + "cognito-identity:GetOpenIdTokenForDeveloperIdentity", + "cognito-identity:GetPrincipalTagAttributeMap", + "cognito-identity:ListIdentities", + "cognito-identity:ListIdentityPools", + "cognito-identity:ListTagsForResource", + "cognito-identity:LookupDeveloperIdentity", + "cognito-identity:MergeDeveloperIdentities", + "cognito-identity:SetIdentityPoolRoles", + "cognito-identity:SetPrincipalTagAttributeMap", + "cognito-identity:TagResource", + "cognito-identity:UnlinkDeveloperIdentity", + "cognito-identity:UnlinkIdentity", + "cognito-identity:UntagResource", + "cognito-identity:UpdateIdentityPool", + ] + }, + { + name: 'COGNITO_IDP', + prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool/`, + qualifiers: [`${serviceName}*`, `${region}_*`], + actions: [ + "cognito-idp:Create*", + "cognito-idp:Delete*", + "cognito-idp:Describe*", + "cognito-idp:Get*", + "cognito-idp:List*", + "cognito-idp:Set*", + "cognito-idp:TagResource", + "cognito-idp:UntagResource", + "cognito-idp:Update*", + ] } ] } @@ -522,6 +587,7 @@ export class ServiceDeployIAM extends cdk.Stack { case "EVENT_BRIDGE": delimiter = ":"; break; + // TODO: add cognito } return qualifiers.filter(Boolean).map((qualifier) => { return `${prefix}${delimiter}${qualifier}` }) From 4fb99e4cb329f9fb1a91d26d0a161290244aad80 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 10:46:11 +1030 Subject: [PATCH 02/10] remove duplicate trailing slash --- packages/serverless-deploy-iam/bin/app.ts | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index e98f3dc..a85bb4c 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -297,7 +297,7 @@ export class ServiceDeployIAM extends cdk.Stack { }, { name: 'COGNITO', - prefix: `arn:aws:cognito-sync:${region}:${accountId}:identitypool/`, + prefix: `arn:aws:cognito-sync:${region}:${accountId}:identitypool`, qualifiers: [`${serviceName}*`], actions: [ "cognito-sync:BulkPublish", @@ -346,7 +346,7 @@ export class ServiceDeployIAM extends cdk.Stack { }, { name: 'COGNITO_IDP', - prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool/`, + prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool`, qualifiers: [`${serviceName}*`, `${region}_*`], actions: [ "cognito-idp:Create*", From 53eb5e43f0a627f3df48f456794394a9a7559235 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 10:51:18 +1030 Subject: [PATCH 03/10] add cognito-idp:CreateUserPool against all resources --- packages/serverless-deploy-iam/bin/app.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index a85bb4c..21de2b2 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -359,6 +359,14 @@ export class ServiceDeployIAM extends cdk.Stack { "cognito-idp:UntagResource", "cognito-idp:Update*", ] + }, + { + name: 'COGNITO_IDP_CREATEUSERPOOL', + prefix: `arn:aws:cognito-idp:${region}:${accountId}:userpool`, + qualifiers: ["*"], + actions: [ + "cognito-idp:CreateUserPool" + ] } ] } From 7657e14fc1604ed1e80ddce700a5961a96c42f9f Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 10:56:53 +1030 Subject: [PATCH 04/10] allow cognito cognito-identity:CreateIdentityPool --- packages/serverless-deploy-iam/bin/app.ts | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 21de2b2..8f3e9b6 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -367,6 +367,14 @@ export class ServiceDeployIAM extends cdk.Stack { actions: [ "cognito-idp:CreateUserPool" ] + }, + { + name: 'COGNITO_IDP_IDENTITYPOOL', + prefix: `arn:aws:cognito-identity:${region}:${accountId}:identitypool`, + qualifiers: [], + actions: [ + "cognito-identity:CreateIdentityPool" + ] } ] } From 956d13fae832a599d5fe2cb3a217fe57e7bed4c4 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:01:51 +1030 Subject: [PATCH 05/10] expand cognito IAM role resource boundary --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 8f3e9b6..7d2b505 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -175,7 +175,7 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'IAM', prefix: `arn:aws:iam::${accountId}:role`, - qualifiers: [`${serviceName}*`], + qualifiers: [`*${serviceName}*`], actions: [ "iam:CreateRole", "iam:PassRole", From d4cb199ea49362204ffab57fc4e98de8ed07fdfb Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:15:24 +1030 Subject: [PATCH 06/10] allow cognito cognito-identity:SetIdentityPoolRoles --- packages/serverless-deploy-iam/bin/app.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 7d2b505..17b92e3 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -371,9 +371,10 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'COGNITO_IDP_IDENTITYPOOL', prefix: `arn:aws:cognito-identity:${region}:${accountId}:identitypool`, - qualifiers: [], + qualifiers: [`${region}_*`], actions: [ - "cognito-identity:CreateIdentityPool" + "cognito-identity:CreateIdentityPool", + "cognito-identity:SetIdentityPoolRoles" ] } ] From f24c877214926f8fa283dbe61daba8f7c866b583 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:19:55 +1030 Subject: [PATCH 07/10] allow cognito cognito-identity:SetIdentityPoolRoles - fix format --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 17b92e3..0a1b03b 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -371,7 +371,7 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'COGNITO_IDP_IDENTITYPOOL', prefix: `arn:aws:cognito-identity:${region}:${accountId}:identitypool`, - qualifiers: [`${region}_*`], + qualifiers: [`${region}:*`], actions: [ "cognito-identity:CreateIdentityPool", "cognito-identity:SetIdentityPoolRoles" From 3280d910b31d42a55d5630788bd74ec56e4f17bf Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 11:50:31 +1030 Subject: [PATCH 08/10] mark COGNITO with its delimiter --- packages/serverless-deploy-iam/bin/app.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 0a1b03b..1c01910 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -593,6 +593,7 @@ export class ServiceDeployIAM extends cdk.Stack { static formatResourceQualifier(serviceName: string, prefix: string, qualifiers: string[]): string[] { let delimiter = "/"; switch (serviceName) { + case "COGNITO": case "CLOUD_WATCH": case "LAMBDA": case "S3": From 7f8933e41770f0da93bc6af66e131f043be97e77 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Wed, 29 Nov 2023 12:29:15 +1030 Subject: [PATCH 09/10] mark COGNITO with its delimiter --- packages/serverless-deploy-iam/bin/app.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 1c01910..4c13972 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -605,7 +605,6 @@ export class ServiceDeployIAM extends cdk.Stack { case "EVENT_BRIDGE": delimiter = ":"; break; - // TODO: add cognito } return qualifiers.filter(Boolean).map((qualifier) => { return `${prefix}${delimiter}${qualifier}` }) From 0a4a1b012078c4bda9eaeb9db0002a0d5b58f897 Mon Sep 17 00:00:00 2001 From: Chris Park Date: Mon, 4 Dec 2023 10:56:50 +1030 Subject: [PATCH 10/10] add Cognito access instead of excessive permission --- packages/serverless-deploy-iam/bin/app.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/serverless-deploy-iam/bin/app.ts b/packages/serverless-deploy-iam/bin/app.ts index 5783e3a..46abc07 100644 --- a/packages/serverless-deploy-iam/bin/app.ts +++ b/packages/serverless-deploy-iam/bin/app.ts @@ -175,7 +175,7 @@ export class ServiceDeployIAM extends cdk.Stack { { name: 'IAM', prefix: `arn:aws:iam::${accountId}:role`, - qualifiers: [`*${serviceName}*`], + qualifiers: [`${serviceName}*`, `Cognito-${serviceName}*`], actions: [ "iam:CreateRole", "iam:PassRole",