Feature proposal : restrict permission of state machine IAM role to only functions in the definition

[theburningmonk]

This is a Feature Proposal

Description

Right now the generated IAM role for the state machine is permitted to invoke ALL functions. Should one of the functions used in the step function be compromised, and allowed attacker to gain access to its temp AWS credentials, the attacker would have the permission to execute any and every function in the whole account.

Instead, we should parse the step function definition, pick out the ARN for tasks, and the generated IAM role should be permitted to invoke only those ARNs.

[horike37]

Hi @theburningmonk
Thank you for the proposal!

You mean that Here should be narrowed with minimum permission, right?
If so, fully agreed with you!

To realize this, would be good to add a new configuration for defining to invoke functions something like this. I'm not sure if permitInvolkedFunctionsArn is a suitable name though 😅

stepFunctions:
  stateMachines:
    hellostepfunc1:
      permitInvolkedFunctionsArn:
        - arn:aws:lambda:us-east-1:123456789012:function:aaaa
        - arn:aws:lambda:us-east-1:123456789012:function:bbbb
        - arn:aws:lambda:us-east-1:123456789012:function:cccc

Would love to get some feedback.

[theburningmonk]

Yes, that's it, the generated IAM role can invoke all functions.

Instead of asking the user to specify the functions themselves, which is easy to forget and you get runtime errors, can we parse the state machine definition as part of the plugin and pick out the ARNs associated with Task states?

[horike37]

Make sense! That's a better way than asking.

can we parse the state machine definition as part of the plugin and pick out the ARNs associated with Task states?

It would be possible 👍

[theburningmonk]

This was implemented in #145