Skip to content

fix(iam): add validation for OrganizationPrincipal IDs #33968

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 1, 2025
Merged

fix(iam): add validation for OrganizationPrincipal IDs #33968

merged 3 commits into from
Apr 1, 2025

Conversation

scorbiere
Copy link
Contributor

@scorbiere scorbiere commented Mar 28, 2025
edited
Loading

Issue # (if applicable)

Closes #32756.

Reason for this change

There's a security issue with the OrganizationPrincipal class in AWS CDK. When using iam.OrganizationPrincipal with an empty or invalid organization ID, it still grants access to AWS resources but without properly applying the organization condition. This creates a security risk because:

  1. It grants permissions to AWS: "*" (any AWS principal)
  2. The condition that should restrict access to a specific organization is not properly applied

A previous fix (PR #33555) was implemented but later reverted (PR #33773) because it broke compatibility with code using tokens for organization IDs.

Description of changes

This PR adds token-aware validation to the OrganizationPrincipal constructor to ensure organization IDs match the required pattern (^o-[a-z0-9]{10,32}$) when they are literal strings, while maintaining compatibility with tokens.

Pattern defined here: https://docs.aws.amazon.com/organizations/latest/APIReference/API_Organization.html#API_Organization_Contents

Key changes:

  • Added validation in OrganizationPrincipal constructor that only applies to literal strings (not tokens)
  • Created comprehensive unit tests for the validation logic
  • Updated existing tests to use valid organization IDs

The implementation uses Token.isUnresolved() to check if the organization ID is a token before applying validation, which addresses the regression that caused the previous fix to be reverted.

Describe any new or updated permissions being added

No new IAM permissions are being added. This change only affects validation of organization IDs used in IAM policies.

Description of how you validated changes

  • Added a dedicated test file (organization-principal.test.ts) which covers various scenarios:
    • Valid organization IDs
    • Empty strings (rejected with error)
    • Invalid formats (rejected with error)
    • Token values (pass through without validation)
  • Updated existing tests in function.test.ts, bucket.test.ts, and integration tests to use valid organization IDs
  • Verified all unit tests pass in the affected modules
  • Ran integration tests to ensure the changes work correctly in deployed resources

Checklist

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

scorbiere and others added 2 commits March 28, 2025 10:37
@scorbiere
fix(iam): add validation for OrganizationPrincipal IDs
c8a1099 
The OrganizationPrincipal class now validates that organization IDs match the required pattern (^o-[a-z0-9]{10,32}$) when they are literal strings. This prevents security risks that could occur when using empty or invalid organization IDs, which would grant permissions to any AWS principal without properly applying the organization condition.

Key changes:
- Added token-aware validation in OrganizationPrincipal constructor
- Only validates literal strings, not tokens (using Token.isUnresolved)
- Added comprehensive unit tests for validation logic
- Updated existing tests to use valid organization IDs

Fixes: aws#32756
@scorbiere
Merge branch 'aws:main' into issue_32756
161ede7
@github-actions github-actions bot added bug This issue is a bug. effort/small Small work item – less than a day of effort p1 labels Mar 28, 2025
@aws-cdk-automation aws-cdk-automation requested a review from a team March 28, 2025 20:27
@mergify mergify bot added the contribution/core This is a PR that came from AWS. label Mar 28, 2025
@codecov Codecov
Copy link

codecov bot commented Mar 28, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.98%. Comparing base (89d2d5c) to head (b73ca37).
Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main   #33968   +/-   ##
=======================================
  Coverage   83.98%   83.98%           
=======================================
  Files         120      120           
  Lines        6976     6976           
  Branches     1178     1178           
=======================================
  Hits         5859     5859           
  Misses       1005     1005           
  Partials      112      112
Flag Coverage Δ
suite.unit 83.98% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components Coverage Δ
packages/aws-cdk ∅ <ø> (∅)
packages/aws-cdk-lib/core 83.98% <ø> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@scorbiere scorbiere marked this pull request as ready for review March 29, 2025 00:15
@aws-cdk-automation aws-cdk-automation added the pr/needs-maintainer-review This PR needs a review from a Core Team Member label Mar 29, 2025
@github-actions github-actions bot mentioned this pull request Apr 1, 2025
Open
QuantumNeuralCoder
QuantumNeuralCoder approved these changes Apr 1, 2025
View reviewed changes
Copy link
Contributor

@QuantumNeuralCoder QuantumNeuralCoder left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed as previously. Additional check for cdk token prevents the regression issue. Ship ITTT

@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 1, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildv2Project1C6BFA3F-wQm2hXv2jqQv
  • Commit ID: b73ca37
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@mergify mergify bot merged commit 217d75f into aws:main Apr 1, 2025
20 checks passed
@mergify Mergify
Copy link
Contributor

mergify bot commented Apr 1, 2025

Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork).

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Apr 1, 2025

Comments on closed issues and PRs are hard for our team to see.
If you need help, please open a new issue that references this one.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 1, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@QuantumNeuralCoder QuantumNeuralCoder QuantumNeuralCoder approved these changes

Assignees

@QuantumNeuralCoder QuantumNeuralCoder

Labels
bug This issue is a bug. contribution/core This is a PR that came from AWS. effort/small Small work item – less than a day of effort p1 pr/needs-maintainer-review This PR needs a review from a Core Team Member
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(aws-s3): bucket.grantRead to an organization principal grants public read access
4 participants
@scorbiere @aws-cdk-automation @QuantumNeuralCoder @shikha372