AWS notification "Missing CDK bootstrap bucket"
Closed this issue ยท 9 comments
In the last days I received an email from AWS which says:
We identified your AWS Cloud Development Kit (AWS CDK) bootstrapping configuration in one or more regions could be abused by an actor, potentially resulting in your deployments being intercepted. Specifically, your account contains the default deployment role cdk-hnb659fds-deploy-role--, indicating that it has been bootstrapped for CDK use at some point, but it does not contain the default asset bucket cdk-hnb659fds-assets--.
If you purposely chose a different bucket name by bootstrapping using cdk bootstrap --bootstrap-bucket-name , or if you customized your bootstrapping template to use a different bucket name inside the template, you can disregard this message.
We identified you may have manually deleted the S3 bucket from CDK's bootstrapped resources. If a third party knows your account number and creates an S3 bucket with the name of the bucket that was deleted, and you subsequently perform another CDK deployment in the future, that third party could potentially make unintended changes to your account.
We have released a new version of the CDK bootstrap template with CLI version 2.149.0 which prevents this issue. We recommend you either fully delete all bootstrap resources in these environments if you do not intend to use CDK again, or manually recreate the bucket and then update to the latest version of the CDK bootstrap template.
This is related to my AWS account in which SIH version 6.2.6 is deployed. AWS Health Dashboard is also referring to the CloudFormation stack for SIH deployment as affected resource.
What should I do now or can I ignore that message?
Hi @marco910
Is your deployment of SIH managed through cdk deploy (ie: from the Github source code), or did you deploy from the Solutions Library (and the AWS console)?
The warning is effectively saying that if you're deploying through cdk deploy, things aren't currently fully setup, and a bad actor could snipe the default bucket name for your account to cause unintended changes when you deploy. But if you are solely deploying through the template files, this won't affect you and can be ignored.
Let me know,
Simon
Hi @simonkrol
I did the second approach (from the Solutions Library and the AWS console).
Thanks for the explanation. So, if I understand you correctly, this is not relevant in my case and does not affect me?
Hi @marco910
That's correct yes, though I'm a little surprised you got the email at all, I wouldn't expect you to have that role deployed in your account, it isn't included as part of SIH, instead being created when you run cdk bootstrap.
Simon
There are a few IAM roles created by the SIH template in our AWS account, but none of them is named like described in the email.
Hmm, that seems very strange. Either way, no action is required :)
Great, thanks @simonkrol
We recommend that you still double-check to ensure there are no other stacks, users, or deployments that have resulted in any change. Please feel free to reopen the ticket if you notice any unexpected behavior.
Update on this, looks like many of these notifications were sent in error
Today, we received an updated message that clarified this previous message and that it doesn't affect our account.