The k9-cdk now supports generating least-privilege resource policies for Amazon SQS queues with CDK v2. This addition complements the existing S3, KMS, and DynamoDB capabilities, bringing the same simplified approach for securing messaging infrastructure managed by AWS CDK infrastructure code.
Benefits
- Simplified Security: Define access patterns using k9’s intuitive access capability model instead of writing raw resource policies
- Consistent: Apply the same security patterns across S3, KMS, DynamoDB, and now SQS resources
- Developer Experience: Easily integrate security into your existing CDK delivery process
Least-privilege AWS SQS resource policies (quickly)
The implementation works seamlessly with your existing AWS CDK infrastructure code. For example, the following code will:
- Provision an SQS queue
- Allow CI and administrators to administer the queue
- Allow administrators and security auditors to read the queue’s configuration
- Allow the
app-backendrole to send and receive messages
Typescript
import * as cdk from "aws-cdk-lib";
import * as sqs from "aws-cdk-lib/aws-sqs";
import * as k9 from "@k9securityio/k9-cdk";
const app = new cdk.App();
const stack = new cdk.Stack(app, 'K9Example');
const queue = new sqs.Queue(stack, 'AppQueue', {
queueName: 'app-backend',
});
// define intended access
const administerResourceArns = [
"arn:aws:iam::123456789012:role/ci",
"arn:aws:iam::123456789012:role/admin",
];
// admins & auditors should be able to read-config
const readConfigArns = administerResourceArns.concat(
[
"arn:aws:iam::123456789012:role/k9-auditor",
"arn:aws:iam::123456789012:role/aws-service-role/access-analyzer.amazonaws.com/AWSServiceRoleForAccessAnalyzer",
]
);
const readWriteDataArns = [
"arn:aws:iam::123456789012:role/app-backend",
];
// Generate and apply an SQS resource policy
const k9QueuePolicyProps: k9.sqs.K9SQSResourcePolicyProps = {
queue: queue,
k9DesiredAccess: new Array<k9.k9policy.IAccessSpec>(
{
accessCapabilities: k9.k9policy.AccessCapability.ADMINISTER_RESOURCE,
allowPrincipalArns: administerResourceArns,
},
{
accessCapabilities: k9.k9policy.AccessCapability.READ_CONFIG,
allowPrincipalArns: readConfigArns,
},
{
accessCapabilities: k9.k9policy.AccessCapability.READ_DATA,
allowPrincipalArns: readWriteDataArns,
},
{
accessCapabilities: k9.k9policy.AccessCapability.WRITE_DATA,
allowPrincipalArns: readWriteDataArns,
}
)
}
k9.sqs.grantAccessViaResourcePolicy(k9QueuePolicyProps);When you call k9.sqs.grantAccessViaResourcePolicy, k9-cdk will generate and attach a least-privilege resource policy. That policy will allow the access you declared in the props and deny access to unintended principals.
Integration with Other Services
The SQS support integrates seamlessly with k9-cdk’s existing capabilities for S3, KMS, and DynamoDB. You can use the same access capability model and configuration patterns across all supported services, making it easy to maintain consistent security practices throughout your infrastructure.
Getting Started
k9 Security’s k9-cdk for CDK v2 makes strong security usable and helps you provision best practice AWS security policies defined using the simplified k9 access capability model and safe defaults.
In CDK terms, this library provides Curated (L2) constructs that wrap core CloudFormation resources (L1) to simplify security.
The k9-cdk library simplifies IAM as described in Effective IAM for AWS and is fully-supported by k9 Security. We’re happy to answer questions or help you integrate it via a GitHub issue or email to [email protected].
Check out k9-cdk on GitHub or ConstructHub for details and examples on how to start using k9-cdk today!
Recent Comments