CDK cross-span vuln fix (WIP) #1436
Conversation
…part of the process
rBangay
force-pushed
the
cross-spawn-cd-vuln-fix
branch
from
0c209d9 to
bd7943e
Compare
…. Run the update snapshot task.
| @@ -21,6 +21,7 @@ Object { | |||
| "GuEc2App", | |||
| "GuCertificate", | |||
| "GuInstanceRole", | |||
| "GuSsmSshPolicy", | |||
There was a problem hiding this comment.
We think this replaces the old AmazonSSMManagedInstanceCore policy below to ssh into the ec2 instance.
TODO: test in code to make sure we can still ssh into the instance
| @@ -1921,6 +1913,7 @@ Object { | |||
| }, | |||
| "Port": 443, | |||
| "Protocol": "HTTPS", | |||
| "SslPolicy": "ELBSecurityPolicy-TLS13-1-2-2021-06", | |||
There was a problem hiding this comment.
As long as fastly user TLS v1.2 or later this should be fine (https://docs.aws.amazon.com/elasticloadbalancing/latest/application/describe-ssl-policies.html)
| Object { | ||
| "Key": "routing.http.drop_invalid_header_fields.enabled", | ||
| "Value": "true", | ||
| }, |
There was a problem hiding this comment.
We're not sure what constitutes an invalid header, but this sounds sensible.
| "ec2messages:AcknowledgeMessage", | ||
| "ec2messages:DeleteMessage", | ||
| "ec2messages:FailMessage", | ||
| "ec2messages:GetEndpoint", | ||
| "ec2messages:GetMessages", | ||
| "ec2messages:SendReply", | ||
| "ssm:UpdateInstanceInformation", | ||
| "ssm:ListInstanceAssociations", | ||
| "ssm:DescribeInstanceProperties", | ||
| "ssm:DescribeDocumentParameters", | ||
| "ssmmessages:CreateControlChannel", | ||
| "ssmmessages:CreateDataChannel", | ||
| "ssmmessages:OpenControlChannel", | ||
| "ssmmessages:OpenDataChannel", |
There was a problem hiding this comment.
These match the current permissions needed according to https://github.com/guardian/ssm-scala?tab=readme-ov-file#in-aws
| "MetadataOptions": Object { | ||
| "InstanceMetadataTags": "enabled", | ||
| }, |
There was a problem hiding this comment.
this is to allow access to https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/work-with-tags-in-IMDS.html
This is probably useful for kibana logs or wazuh or something but shouldn't break anything.
What does this PR change?
Fix security vulnerability in
cross-spawnin CDK land.As part of this pr I have also updated the version of
CDKwe use by quite a few major versions.