GHSA-5pq3-h73f-66hr: AWS CDK CodePipeline: trusted entities are too broad

The AWS Cloud Development Kit (CDK) is an open-source framework for defining cloud infrastructure using code. Users use it to create their own applications, which are converted to AWS CloudFormation templates during deployment to a user’s AWS account. AWS CDK contains pre-built components called “constructs,” which are higher-level abstractions providing defaults and best practices. This approach enables developers to use familiar programming languages to define complex cloud infrastructure more efficiently than writing raw CloudFormation templates.

The AWS CodePipeline construct deploys CodePipeline, a managed service that orchestrates software release processes through a series of stages, each comprising one or more actions executed by CodePipeline. To perform these actions, CodePipeline assumes IAM roles with permissions necessary for each step, allowing it to interact with AWS services and resources on behalf of the user.

An issue exists where, when using CDK to create a CodePipeline with the CDK Construct Library, CDK creates an AWS Identity and Access Management (AWS IAM) trust policy with overly broad permissions. Any user with unrestricted sts:AssumeRole permissions could assume that trust policy. This issue does not affect users who supply their own role for CodePipeline.