s3 bucket notifications creates IAM policy that has no resource boundary
See original GitHub issueForked off from https://github.com/aws/aws-cdk/issues/2781, specifically this comment
S3 bucket notifications creates an IAM role holding a policy that contains no resource boundary, specifically "Resource": "*"
.
Companies typically enforce that all IAM policies should be well bounded in their actions and resource.
Issue Analytics
- State:
- Created 4 years ago
- Comments:5 (2 by maintainers)
Top Results From Across the Web
User policy examples - Amazon Simple Storage Service
This section shows several example AWS Identity and Access Management (IAM) user policies for controlling user access to Amazon S3. For example bucket...
Read more >aws_iam_role | Resources | hashicorp/aws - Terraform Registry
This example creates an IAM role with what appears to be empty IAM inline_policy argument instead of using inline_policy as a configuration block....
Read more >Access is denied even if IAM user is specified in S3 bucket ...
I am now trying to use AWS S3. I created an IAM user with no "Permissions policies". And, the bucket policy of S3...
Read more >IAM Permissions For Functions - Serverless Framework
AWS Lambda functions need permissions to interact with other AWS services and resources in your account. These permissions are set via an AWS...
Read more >AWS S3 with IAM Role Support Destination - Segment
The AWS S3 destination provides a more secure method of connecting to your S3 buckets. It uses AWS's own IAM Roles to define...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
@binhrobles
Thats pretty the way as of now. You could simplify a little by using the well known notification handler id:
But that’s not a WHOLE lot better…actually for your use-cases, I would recommend having a look at
Aspects
- which give you a way of visiting every construct just before synthesis happens, and modify it to fit your needs.Escape hatches are mainly for pin point mutations to the underlying CloudFormation resource properties.
This issue has not received any attention in 1 year. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.