[Security] Preventing PCAPI path traversal through PCUI by scoping down the policy used by PCUI lambda to invoke PCAPI. In particular allowing the invocation only on the expected stage.

gmarciani · gmarciani · commit 5703ff906f67 · 2025-06-04T10:46:06.000-04:00
diff --git a/infrastructure/parallelcluster-ui.yaml b/infrastructure/parallelcluster-ui.yaml
@@ -898,8 +898,9 @@ Resources:
               - execute-api:Invoke
             Effect: Allow
             Resource: !Sub
-              - arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${PCApiGateway}/*/*
-              - { PCApiGateway: !Select [2, !Split ['/', !Select [0, !Split ['.', !GetAtt [ ParallelClusterApi, Outputs.ParallelClusterApiInvokeUrl ]]]]] }
+              - arn:${AWS::Partition}:execute-api:${AWS::Region}:${AWS::AccountId}:${PCApiGateway}/${PCApiStage}/*
+              - PCApiGateway: !Select [2, !Split ['/', !Select [0, !Split ['.', !GetAtt [ ParallelClusterApi, Outputs.ParallelClusterApiInvokeUrl ]]]]]
+                PCApiStage: !Select [3, !Split ['/', !GetAtt [ ParallelClusterApi, Outputs.ParallelClusterApiInvokeUrl ]]]
 
   CognitoPolicy:
     Type: AWS::IAM::ManagedPolicy
