Skip to content

(ec2:Vpc): VPC Flow Logs on Imported VPCs Create Unnecessary IAM Role with iam:PassRole Permission #35729

New issue
New issue
Open
Open
(ec2:Vpc): VPC Flow Logs on Imported VPCs Create Unnecessary IAM Role with iam:PassRole Permission#35729
Labels
@aws-cdk/aws-ec2Related to Amazon Elastic Compute CloudbugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.
@mrpackethead

Description

@mrpackethead
mrpackethead
opened on Oct 13, 2025

Describe the bug

When creating a VPC Flow Log with an S3 destination on an imported VPC (using Vpc.fromVpcAttributes()), CDK automatically creates an IAM role even though VPC Flow Logs to S3 do not require an IAM role. This auto-generated role includes iam:PassRole permission on itself, creating a privilege escalation security risk.

Expected Behavior

Current Behavior

{
  "Effect": "Allow",
  "Action": "iam:PassRole",
  "Resource": "<self-role-arn>"
}

Reproduction Steps

Result: An IAM role is created with iam:PassRole permission on itself.

Possible Solution

Additional context

CDK Version: 2.208.0+ (likely affects all versions)

Affected Module: @aws-cdk/aws-ec2

Regression Issue

  • Select this option if this issue appears to be a regression.

Last Known Working CDK Library Version

No response

Expected Behavior

VPC Flow Logs with S3 destinations should not create an IAM role, regardless of whether the VPC is native or imported. If a role must be created for imported VPCs, it should not include iam:PassRole permission on itself.

Current Behavior

When using new ec2.FlowLog() with:

An imported VPC from Vpc.fromVpcAttributes()
S3 destination via FlowLogDestination.toS3()
CDK creates an IAM role with the following policy:

Reproduction Steps

import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as s3 from 'aws-cdk-lib/aws-s3';
import { Stack } from 'aws-cdk-lib';

// Create or reference an imported VPC
const vpc = ec2.Vpc.fromVpcAttributes(this, 'ImportedVpc', {
  vpcId: 'vpc-12345',
  availabilityZones: ['us-east-1a', 'us-east-1b'],
  publicSubnetIds: ['subnet-111', 'subnet-222'],
});

// Create S3 bucket for flow logs
const bucket = new s3.Bucket(this, 'FlowLogBucket');

// Create Flow Log with S3 destination
new ec2.FlowLog(this, 'VpcFlowLog', {
  destination: ec2.FlowLogDestination.toS3(bucket),
  resourceType: ec2.FlowLogResourceType.fromVpc(vpc),
  trafficType: ec2.FlowLogTrafficType.ALL,
});

Possible Solution

Option 1: Do not create an IAM role for S3 destinations on imported VPCs (same behavior as native VPCs)

Option 2: If a role must be created, remove the iam:PassRole permission as it's not needed for VPC Flow Logs

Option 3: Allow users to explicitly pass role: undefined to prevent role creation for S3 destinations

Additional Information/Context

Security Impact: The iam:PassRole permission on the role itself creates a privilege escalation vector if the role is compromised

AWS Documentation: VPC Flow Logs to S3 do not require an IAM role

Related Issues

This appears to be specific to imported VPCs. Native VPCs created with new ec2.Vpc() do not exhibit this behavior when using S3 destinations.

AWS CDK Library version (aws-cdk-lib)

2.208.0

AWS CDK CLI version

2

Node.js Version

20

OS

Linux

Language

TypeScript

Language Version

No response

Other information

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    @aws-cdk/aws-ec2Related to Amazon Elastic Compute CloudbugThis issue is a bug.needs-triageThis issue or PR still needs to be triaged.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions