fwd:cloudsec 2023

fwd:cloudsec 2023

Stop the Bulldozers: Hardening the AWS CDK deployment process
2023-06-13 , Salon C

As companies migrate to the cloud, it's common to see uplift projects with the goal of deploying everything as Infrastructure as Code. AWS CDK has been widely adopted since it launched in 2019, partly because it allows dev teams to set up and deploy infrastructure using the programming languages that they're familiar with.

However, unlike most other IaC tools out there, CDK relies on a bootstrapping process which is typically done via CLI. The roles created by this process are highly privileged by default, which introduces the risk of privilege escalation issues.

In this talk, we'll look at a few different ways to reduce the attack surface of the default CDK roles, and enforce least privilege access for AWS resource deployment.

Dawn likes to tinker with cloud infrastructure and security, and regularly goes down rabbit holes in a futile search for ways to develop systems that are both reliable and impenetrable. As well as accidental accessibility advocacy, Dawn can regularly be found sharing knowledge within the Melbourne cloud infrastructure and DevOps communities.

Outside work, Dawn is an occasional author, kitchen alchemist, and raging sportsball fan.