I've been working with CDK for a bit, and haven't had any reason to modify any of the default roles/policies that are auto-generated when I create resources like lambdas or step functions. However, I also know that from a security perspective, its best practice to be as restrictive as possible for policies and permissions.
This made my wonder whether I should specify a condition in my assumeRolePolicies to only allow specific resources to assume that role. For eg, after my cdk code gets converted into yaml, is this sufficiently secure?
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Or would it be best practice to add a condition if I'm sure that I only want this role to be assumed by one resource, like so:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
Condition:
ArnLike:
aws:SourceArn: myLambdaArn
And if I should add the condition, is there an easy way to do it in CDK without having to replace the resource's role.assumeRolePolicy entirely?
