Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

s3 bucket notifications creates IAM policy that has no resource boundary

See original GitHub issue

Forked off from https://github.com/aws/aws-cdk/issues/2781, specifically this comment

S3 bucket notifications creates an IAM role holding a policy that contains no resource boundary, specifically "Resource": "*".

Companies typically enforce that all IAM policies should be well bounded in their actions and resource.

https://github.com/aws/aws-cdk/blob/master/packages/%40aws-cdk/aws-s3-notifications/test/integ.notifications.expected.json#L188-L208

Issue Analytics

State:
Created 4 years ago
Comments:5 (2 by maintainers)

Top GitHub Comments

2reactions

iliapolocommented, Mar 8, 2021

@binhrobles

Is there an easier/clearer way to get to these constructs, or is this pretty much the way to do it for now?

Thats pretty the way as of now. You could simplify a little by using the well known notification handler id:

const bucketNotificationsHandler = Stack.of(this).node.tryFindChild('BucketNotificationsHandler050a0587b7544547bf325f094a3db834')!

But that’s not a WHOLE lot better…actually for your use-cases, I would recommend having a look at Aspects - which give you a way of visiting every construct just before synthesis happens, and modify it to fit your needs.

Escape hatches are mainly for pin point mutations to the underlying CloudFormation resource properties.

0reactions

github-actions[bot]commented, Oct 25, 2022

This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

Top Results From Across the Web

User policy examples - Amazon Simple Storage Service

This section shows several example AWS Identity and Access Management (IAM) user policies for controlling user access to Amazon S3. For example bucket...

aws_iam_role | Resources | hashicorp/aws - Terraform Registry

This example creates an IAM role with what appears to be empty IAM inline_policy argument instead of using inline_policy as a configuration block....

Access is denied even if IAM user is specified in S3 bucket ...

I am now trying to use AWS S3. I created an IAM user with no "Permissions policies". And, the bucket policy of S3...

IAM Permissions For Functions - Serverless Framework

AWS Lambda functions need permissions to interact with other AWS services and resources in your account. These permissions are set via an AWS...

AWS S3 with IAM Role Support Destination - Segment

The AWS S3 destination provides a more secure method of connecting to your S3 buckets. It uses AWS's own IAM Roles to define...