# This template is modified from original to add PermissionsBoundary for CFN Execution Role # The CFN Execution Role usually has AdministratorAccess attached. This exposes the CICD account to risk as # anyone who can execute `cdk deploy` can create role with AdministratorAccess (IAM privilege escalation) # # We create two PermissionsBoundaries to with least privilege policy. # 1. CloudFormationExecutionPermissionsBoundary - for CICD pipeline deployment # 2. CICDPipelinePermissionsBoundary - for any roles used in CICD pipeline (e.g. CodeBuild/CodePipeline) # # See the following links for more details: # 1. https://aws.amazon.com/premiumsupport/knowledge-center/iam-permission-boundaries/ # 2. https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html # 3. https://github.com/aws/aws-cdk/issues/9256 # # Original Bootstrap template (used when you run `cdk bootstrap`): # https://github.com/aws/aws-cdk/blob/master/packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml # Description: This stack includes resources needed to deploy AWS CDK apps into this environment Parameters: TrustedAccounts: Description: List of AWS accounts that are trusted to publish assets and deploy stacks to this environment Default: "" Type: CommaDelimitedList TrustedAccountsForLookup: Description: List of AWS accounts that are trusted to look up values in this environment Default: "" Type: CommaDelimitedList CloudFormationExecutionPolicies: Description: List of the ManagedPolicy ARN(s) to attach to the CloudFormation deployment role Default: "" Type: CommaDelimitedList FileAssetsBucketName: Description: The name of the S3 bucket used for file assets Default: "" Type: String FileAssetsBucketKmsKeyId: Description: Empty to create a new key (default), 'AWS_MANAGED_KEY' to use a managed S3 key, or the ID/ARN of an existing key. Default: "" Type: String ContainerAssetsRepositoryName: Description: A user-provided custom name to use for the container assets ECR repository Default: "" Type: String Qualifier: Description: An identifier to distinguish multiple bootstrap stacks in the same environment Default: hnb659fds Type: String AllowedPattern: "[A-Za-z0-9_-]{1,10}" ConstraintDescription: Qualifier must be an alphanumeric identifier of at most 10 characters PublicAccessBlockConfiguration: Description: Whether or not to enable S3 Staging Bucket Public Access Block Configuration Default: "true" Type: String AllowedValues: - "true" - "false" Conditions: HasTrustedAccounts: Fn::Not: - Fn::Equals: - "" - Fn::Join: - "" - Ref: TrustedAccounts HasTrustedAccountsForLookup: Fn::Not: - Fn::Equals: - "" - Fn::Join: - "" - Ref: TrustedAccountsForLookup HasCloudFormationExecutionPolicies: Fn::Not: - Fn::Equals: - "" - Fn::Join: - "" - Ref: CloudFormationExecutionPolicies HasCustomFileAssetsBucketName: Fn::Not: - Fn::Equals: - "" - Ref: FileAssetsBucketName CreateNewKey: Fn::Equals: - "" - Ref: FileAssetsBucketKmsKeyId UseAwsManagedKey: Fn::Equals: - AWS_MANAGED_KEY - Ref: FileAssetsBucketKmsKeyId HasCustomContainerAssetsRepositoryName: Fn::Not: - Fn::Equals: - "" - Ref: ContainerAssetsRepositoryName UsePublicAccessBlockConfiguration: Fn::Equals: - "true" - Ref: PublicAccessBlockConfiguration Resources: FileAssetsBucketEncryptionKey: Type: AWS::KMS::Key Properties: KeyPolicy: Statement: - Action: - kms:Create* - kms:Describe* - kms:Enable* - kms:List* - kms:Put* - kms:Update* - kms:Revoke* - kms:Disable* - kms:Get* - kms:Delete* - kms:ScheduleKeyDeletion - kms:CancelKeyDeletion - kms:GenerateDataKey Effect: Allow Principal: AWS: Ref: AWS::AccountId Resource: "*" - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Principal: AWS: "*" Resource: "*" Condition: StringEquals: kms:CallerAccount: Ref: AWS::AccountId kms:ViaService: - Fn::Sub: s3.${AWS::Region}.amazonaws.com - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Principal: AWS: Fn::Sub: ${FilePublishingRole.Arn} Resource: "*" Condition: CreateNewKey FileAssetsBucketEncryptionKeyAlias: Condition: CreateNewKey Type: AWS::KMS::Alias Properties: AliasName: Fn::Sub: alias/cdk-${Qualifier}-assets-key TargetKeyId: Ref: FileAssetsBucketEncryptionKey StagingBucket: Type: AWS::S3::Bucket Properties: BucketName: Fn::If: - HasCustomFileAssetsBucketName - Fn::Sub: ${FileAssetsBucketName} - Fn::Sub: cdk-${Qualifier}-assets-${AWS::AccountId}-${AWS::Region} AccessControl: Private BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: Fn::If: - CreateNewKey - Fn::Sub: ${FileAssetsBucketEncryptionKey.Arn} - Fn::If: - UseAwsManagedKey - Ref: AWS::NoValue - Fn::Sub: ${FileAssetsBucketKmsKeyId} PublicAccessBlockConfiguration: Fn::If: - UsePublicAccessBlockConfiguration - BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true - Ref: AWS::NoValue VersioningConfiguration: Status: Enabled UpdateReplacePolicy: Retain DeletionPolicy: Retain StagingBucketPolicy: Type: AWS::S3::BucketPolicy Properties: Bucket: Ref: StagingBucket PolicyDocument: Id: AccessControl Version: "2012-10-17" Statement: - Sid: AllowSSLRequestsOnly Action: s3:* Effect: Deny Resource: - Fn::Sub: ${StagingBucket.Arn} - Fn::Sub: ${StagingBucket.Arn}/* Condition: Bool: aws:SecureTransport: "false" Principal: "*" ContainerAssetsRepository: Type: AWS::ECR::Repository Properties: ImageTagMutability: IMMUTABLE RepositoryName: Fn::If: - HasCustomContainerAssetsRepositoryName - Fn::Sub: ${ContainerAssetsRepositoryName} - Fn::Sub: cdk-${Qualifier}-container-assets-${AWS::AccountId}-${AWS::Region} RepositoryPolicyText: Version: "2012-10-17" Statement: - Sid: LambdaECRImageRetrievalPolicy Effect: Allow Principal: Service: lambda.amazonaws.com Action: - ecr:BatchGetImage - ecr:GetDownloadUrlForLayer Condition: StringLike: aws:sourceArn: Fn::Sub: arn:${AWS::Partition}:lambda:${AWS::Region}:${AWS::AccountId}:function:* FilePublishingRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-file-publishing-role-${AWS::AccountId}-${AWS::Region} Tags: - Key: aws-cdk:bootstrap-role Value: file-publishing ImagePublishingRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-image-publishing-role-${AWS::AccountId}-${AWS::Region} Tags: - Key: aws-cdk:bootstrap-role Value: image-publishing LookupRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccountsForLookup - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccountsForLookup - Ref: AWS::NoValue - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue RoleName: Fn::Sub: cdk-${Qualifier}-lookup-role-${AWS::AccountId}-${AWS::Region} ManagedPolicyArns: - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/ReadOnlyAccess Policies: - PolicyDocument: Statement: - Sid: DontReadSecrets Effect: Deny Action: - kms:Decrypt Resource: "*" Version: "2012-10-17" PolicyName: LookupRolePolicy Tags: - Key: aws-cdk:bootstrap-role Value: lookup FilePublishingRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - s3:GetObject* - s3:GetBucket* - s3:GetEncryptionConfiguration - s3:List* - s3:DeleteObject* - s3:PutObject* - s3:Abort* Resource: - Fn::Sub: ${StagingBucket.Arn} - Fn::Sub: ${StagingBucket.Arn}/* Effect: Allow - Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Effect: Allow Resource: Fn::If: - CreateNewKey - Fn::Sub: ${FileAssetsBucketEncryptionKey.Arn} - Fn::Sub: arn:${AWS::Partition}:kms:${AWS::Region}:${AWS::AccountId}:key/${FileAssetsBucketKmsKeyId} Version: "2012-10-17" Roles: - Ref: FilePublishingRole PolicyName: Fn::Sub: cdk-${Qualifier}-file-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region} ImagePublishingRoleDefaultPolicy: Type: AWS::IAM::Policy Properties: PolicyDocument: Statement: - Action: - ecr:PutImage - ecr:InitiateLayerUpload - ecr:UploadLayerPart - ecr:CompleteLayerUpload - ecr:BatchCheckLayerAvailability - ecr:DescribeRepositories - ecr:DescribeImages - ecr:BatchGetImage - ecr:GetDownloadUrlForLayer Resource: Fn::Sub: ${ContainerAssetsRepository.Arn} Effect: Allow - Action: - ecr:GetAuthorizationToken Resource: "*" Effect: Allow Version: "2012-10-17" Roles: - Ref: ImagePublishingRole PolicyName: Fn::Sub: cdk-${Qualifier}-image-publishing-role-default-policy-${AWS::AccountId}-${AWS::Region} DeploymentActionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: AWS::AccountId - Fn::If: - HasTrustedAccounts - Action: sts:AssumeRole Effect: Allow Principal: AWS: Ref: TrustedAccounts - Ref: AWS::NoValue Policies: - PolicyDocument: Statement: - Sid: CloudFormationPermissions Effect: Allow Action: - cloudformation:CreateChangeSet - cloudformation:DeleteChangeSet - cloudformation:DescribeChangeSet - cloudformation:DescribeStacks - cloudformation:ExecuteChangeSet - cloudformation:CreateStack - cloudformation:UpdateStack Resource: "*" - Sid: PipelineCrossAccountArtifactsBucket Effect: Allow Action: - s3:GetObject* - s3:GetBucket* - s3:List* - s3:Abort* - s3:DeleteObject* - s3:PutObject* Resource: "*" Condition: StringNotEquals: s3:ResourceAccount: Ref: AWS::AccountId - Sid: PipelineCrossAccountArtifactsKey Effect: Allow Action: - kms:Decrypt - kms:DescribeKey - kms:Encrypt - kms:ReEncrypt* - kms:GenerateDataKey* Resource: "*" Condition: StringEquals: kms:ViaService: Fn::Sub: s3.${AWS::Region}.amazonaws.com - Action: iam:PassRole Resource: Fn::Sub: ${CloudFormationExecutionRole.Arn} Effect: Allow - Sid: CliPermissions Action: - cloudformation:DescribeStackEvents - cloudformation:GetTemplate - cloudformation:DeleteStack - cloudformation:UpdateTerminationProtection - sts:GetCallerIdentity - cloudformation:GetTemplateSummary Resource: "*" Effect: Allow - Sid: CliStagingBucket Effect: Allow Action: - s3:GetObject* - s3:GetBucket* - s3:List* Resource: - Fn::Sub: ${StagingBucket.Arn} - Fn::Sub: ${StagingBucket.Arn}/* - Sid: ReadVersion Effect: Allow Action: - ssm:GetParameter Resource: - Fn::Sub: arn:${AWS::Partition}:ssm:${AWS::Region}:${AWS::AccountId}:parameter${CdkBootstrapVersion} Version: "2012-10-17" PolicyName: default RoleName: Fn::Sub: cdk-${Qualifier}-deploy-role-${AWS::AccountId}-${AWS::Region} Tags: - Key: aws-cdk:bootstrap-role Value: deploy CloudFormationExecutionRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Statement: - Action: sts:AssumeRole Effect: Allow Principal: Service: cloudformation.amazonaws.com Version: "2012-10-17" ManagedPolicyArns: Fn::If: - HasCloudFormationExecutionPolicies - Ref: CloudFormationExecutionPolicies - Fn::If: - HasTrustedAccounts - Ref: AWS::NoValue - - Fn::Sub: arn:${AWS::Partition}:iam::aws:policy/AdministratorAccess PermissionsBoundary: Ref: CloudFormationExecutionPermissionsBoundary RoleName: Fn::Sub: cdk-${Qualifier}-cfn-exec-role-${AWS::AccountId}-${AWS::Region} CloudFormationExecutionPermissionsBoundary: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Effect: Allow Action: - s3:CreateBucket - s3:DeleteBucket - s3:DeleteBucketPolicy - s3:DeleteJobTagging - s3:DeleteObjectTagging - s3:DeleteObjectVersionTagging - s3:PutBucketPolicy - s3:PutBucketPublicAccessBlock - s3:PutBucketTagging - s3:PutJobTagging - s3:PutObjectTagging - s3:PutObjectVersionTagging - s3:GetEncryptionConfiguration - s3:PutEncryptionConfiguration Resource: - !Sub "arn:aws:s3:::*" - Effect: Allow Action: - codepipeline:CreateCustomActionType - codepipeline:CreatePipeline - codepipeline:DeletePipeline - codepipeline:StartPipelineExecution - codepipeline:DeleteWebhook - codepipeline:GetPipeline - codepipeline:GetPipelineState - codepipeline:DeregisterWebhookWithThirdParty - codepipeline:PutWebhook - codepipeline:RegisterWebhookWithThirdParty - codepipeline:TagResource - codepipeline:UntagResource - codepipeline:UpdatePipeline Resource: "*" # PipelineSelfMutate - Effect: Allow Action: - ssm:GetParameters Resource: !Sub "arn:aws:ssm:${AWS::Region}:${AWS::AccountId}:parameter/cdk-bootstrap/*" # SecretsManagerForGithub - Effect: Allow Action: - secretsmanager:GetSecretValue Resource: !Sub "arn:aws:secretsmanager:${AWS::Region}:${AWS::AccountId}:secret:GITHUB_TOKEN*" # KMS - Effect: Allow Action: - kms:CreateKey - kms:PutKeyPolicy - kms:ScheduleKeyDeletion - kms:TagResource - kms:UntagResource - kms:DescribeKey Resource: !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" # KMS Alias - Effect: Allow Action: - kms:CreateAlias - kms:DeleteAlias - kms:UpdateAlias Resource: - !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" - !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:alias/codepipeline-*" # KMSCreateKey - Effect: Allow Action: - kms:CreateKey Resource: "*" # CodeBuild - Effect: Allow Action: - codebuild:CreateProject - codebuild:DeleteProject - codebuild:UpdateProject - codebuild:BatchGetProjects Resource: !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*" # Self-Mutate requires permission to start PipelineExecution - Effect: Allow Action: - codepipeline:StartPipelineExecution Resource: !Sub "arn:aws:codepipeline:${AWS::Region}:${AWS::AccountId}:*" # IamReadPolicyForKMSKeyCreation - Effect: Allow Action: - iam:GetRole Resource: "*" # IamModifyWithBoundary - Effect: Allow Action: - iam:CreateRole - iam:AttachRolePolicy - iam:DetachRolePolicy - iam:PutRolePolicy - iam:DeleteRolePolicy Resource: "*" Condition: ForAnyValue:StringEquals: "iam:PermissionsBoundary": - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" # IamModifyWithLimitedResourceName - Effect: Allow Action: - iam:GetRolePolicy - iam:DeleteRole - iam:PassRole - iam:TagRole - iam:UntagRole - iam:UpdateRole - iam:UpdateRoleDescription - sts:AssumeRole Resource: "*" ################################################################## # Deny dangerous actions that could escalate privilege or cause security incident ################################################################## # DenyChangeAccountPublicAccess - Effect: Deny Action: - s3:PutAccountPublicAccessBlock Resource: "*" # DenyBoundaryPolicyEdit - Effect: Deny Action: - iam:CreatePolicyVersion - iam:DeletePolicy - iam:DeletePolicyVersion - iam:SetDefaultPolicyVersion Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" # DenyBoundaryDelete - Effect: Deny Action: - iam:DeleteUserPermissionsBoundary - iam:DeleteRolePermissionsBoundary Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:user/*" - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" Condition: "ForAnyValue:StringEquals": "iam:PermissionsBoundary": - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" # DenyBoundaryUpdateIfNotAddingBoundary - Effect: Deny Action: - iam:PutUserPermissionsBoundary - iam:PutRolePermissionsBoundary Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:user/*" - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" Condition: "ForAnyValue:StringEquals": "iam:PermissionsBoundary": - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" Version: "2012-10-17" ManagedPolicyName: Fn::Sub: cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region} # Limit scope of roles created for CICD pipeline (e.g. CodePipeline, CodeBuild) # The permissions in this policy is derived from when we run `cdk deploy` to generate the CICD pipeline stack # We cannot limit this boundary by resource name for some services (e.g. S3, CodeBuild, Role to assume) as their resource names # depend on stack name. CICDPipelinePermissionsBoundary: Type: AWS::IAM::ManagedPolicy Properties: PolicyDocument: Statement: - Effect: Allow Action: - s3:GetBucket* - s3:GetObject* - s3:List* - s3:Abort* - s3:PutObject* - s3:DeleteObject* Resource: "*" - Effect: Allow Action: - kms:CancelKeyDeletion - kms:Create* - kms:Decrypt - kms:Delete* - kms:Describe* - kms:Disable* - kms:Enable* - kms:GenerateDataKey* - kms:Get* - kms:List* - kms:Put* - kms:ReEncrypt* - kms:Revoke* - kms:ScheduleKeyDeletion - kms:TagResource - kms:UntagResource - kms:Update* Resource: - !Sub "arn:aws:kms:${AWS::Region}:${AWS::AccountId}:key/*" - Effect: Allow Action: - sts:AssumeRole Resource: "*" - Effect: Allow Action: - organizations:ListAccounts - organizations:ListTagsForResource Resource: "*" - Effect: Allow Action: - codebuild:CreateReportGroup - codebuild:CreateReport - codebuild:UpdateReport - codebuild:BatchPutTestCases Resource: !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:report-group/*" - Effect: Allow Action: - codebuild:BatchGetBuilds - codebuild:StartBuild - codebuild:StopBuild Resource: !Sub "arn:aws:codebuild:${AWS::Region}:${AWS::AccountId}:project/*" - Effect: Allow Action: - logs:CreateLogGroup - logs:CreateLogStream - logs:PutLogEvents Resource: !Sub "arn:aws:logs:${AWS::Region}:${AWS::AccountId}:log-group:/aws/codebuild/*" - Effect: Allow Action: - cloudformation:DescribeStacks Resource: "*" ################################################################## # Deny dangerous actions that could escalate privilege or cause security incident ################################################################## # DenyChangeAccountPublicAccess - Effect: Deny Action: - s3:PutAccountPublicAccessBlock Resource: "*" # DenyBoundaryPolicyEdit - Effect: Deny Action: - iam:CreatePolicyVersion - iam:DeletePolicy - iam:DeletePolicyVersion - iam:SetDefaultPolicyVersion Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" # DenyBoundaryDelete - Effect: Deny Action: - iam:DeleteUserPermissionsBoundary - iam:DeleteRolePermissionsBoundary Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:user/*" - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" Condition: "ForAnyValue:StringEquals": "iam:PermissionsBoundary": - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" # DenyBoundaryUpdateIfNotAddingBoundary - Effect: Deny Action: - iam:PutUserPermissionsBoundary - iam:PutRolePermissionsBoundary Resource: - !Sub "arn:aws:iam::${AWS::AccountId}:user/*" - !Sub "arn:aws:iam::${AWS::AccountId}:role/*" Condition: "ForAnyValue:StringNotEquals": "iam:PermissionsBoundary": - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cfn-exec-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" - !Sub "arn:aws:iam::${AWS::AccountId}:policy/cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region}" Version: "2012-10-17" ManagedPolicyName: Fn::Sub: cdk-${Qualifier}-cicd-pipeline-permissions-boundary-policy-${AWS::AccountId}-${AWS::Region} CdkBootstrapVersion: Type: AWS::SSM::Parameter Properties: Type: String Name: Fn::Sub: /cdk-bootstrap/${Qualifier}/version Value: "14" Outputs: BucketName: Description: The name of the S3 bucket owned by the CDK toolkit stack Value: Fn::Sub: ${StagingBucket} BucketDomainName: Description: The domain name of the S3 bucket owned by the CDK toolkit stack Value: Fn::Sub: ${StagingBucket.RegionalDomainName} FileAssetKeyArn: Description: The ARN of the KMS key used to encrypt the asset bucket (deprecated) Value: Fn::If: - CreateNewKey - Fn::Sub: ${FileAssetsBucketEncryptionKey.Arn} - Fn::Sub: ${FileAssetsBucketKmsKeyId} Export: Name: Fn::Sub: CdkBootstrap-${Qualifier}-FileAssetKeyArn ImageRepositoryName: Description: The name of the ECR repository which hosts docker image assets Value: Fn::Sub: ${ContainerAssetsRepository} BootstrapVersion: Description: The version of the bootstrap resources that are currently mastered in this stack Value: Fn::GetAtt: - CdkBootstrapVersion - Value CICDPipelinePermissionsBoundaryArn: Description: Policy for Permissions Boundary of CDK Pipeline. This will limit the privilege of roles created by the CICD Pipeline stack. Value: Ref: CICDPipelinePermissionsBoundary Export: Name: CICDPipelinePermissionsBoundaryArn