GHSA-qc59-cxj2-c2w4: aws-cdk-lib's aspect order change causes different Permissions Boundary assigned to Role

The AWS Cloud Development Kit (AWS CDK) is an open-source software development framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. In the CDK, developers organize their applications into reusable components called “constructs,” which are organized into a hierarchical tree structure. One of the features of this framework is the ability to call “Aspects,” which are mechanisms to set configuration options for all AWS Resources in a particular part of the hierarchy at once. Aspect execution happens in a specific order, and the last Aspect to execute controls the final values in the template.

AWS CDK version 2.172.0 introduced a new priority system for Aspects. Prior to this version, CDK would run Aspects based on hierarchical location. The new priority system takes precedence over hierarchical location, altering the invocation order of Aspects. Different priority classes were introduced: Aspects added by CDK APIs were classified as MUTATING (priority 200), while Aspects added directly by the user were classified as DEFAULT (priority 500) unless the user specified otherwise. As a result of this change, CDK apps that use a custom Aspect to assign a default permissions boundary and then use a built-in CDK method to override it on select resources could have unexpected permissions boundaries assigned.

The following is an affected code sample:

Aspects.of(stack).add(new CustomAspectThatAssignsDefaultPermissionsBoundaries());   // {1}

PermissionsBoundary.of(lambdaFunc).apply(...);  // {2} -- uses Aspects internally

In versions prior to 2.172.0, the Aspect added by {2} would invoke last and assign its permissions boundary to the Lambda function role.

In versions 2.172.0 and after, the Aspect added by {2} would have priority 200 while the Aspect added by {1} would have priority 500 and therefore be invoked last. The Lambda function role would get the permissions boundary of {1} assigned, which may not be what users expect.