Comments (9)
I do have a use case for it right now, which is secrets--definitely only want those to be readable by designated users.
from aws-cdk.
I wonder if it's better to strip resource policies out right now, release without them, and tighten up later as people ask for it?
from aws-cdk.
This also ties into meeting compliance requirements for service teams/enterprises: customer data should never be accessible by humans, and it's very likely that humans have role access to the account, potentially with ":" policies attached to the role.
Maybe the solution is that we have a boolean to mark certain resources sensitive: true
, and that controls whether permissions are role-only or bidi.
from aws-cdk.
To make matters worse, IAM policies don't even work how I thought they worked :(
from aws-cdk.
I think the logic will have to be:
- Attach to identity policy; UNLESS
- that's not possible because of principal type (because the principal is not an IAM Identity. Examples of non-identity principals are Account Root or Service Principal) => attach to resource instead
- the grant is cross-account => attach to both
from aws-cdk.
Soo... S3 policies are definitely additive (as in, you can do the action as long as either the resource policy or IAM policy gives you the permission), but KMS policies seem not to be?
I have an identity that has "*:*"
yet I still cannot use the key to decrypt as long as I don't have an explicit resource grant.
from aws-cdk.
I guess this makes sense for KMS and it appears to be documented (https://docs.aws.amazon.com/kms/latest/developerguide/determining-access.html) but we now have to contend with that IAM evaluation rules might be different for different resources.
from aws-cdk.
@rix0rrr This is from 2018. Is it still relevant or can we close it?
from aws-cdk.
Mmyeah, let's close it.
from aws-cdk.
Related Issues (20)
- aws_lambda: Add the ability to define a custom Function Log Group HOT 2
- (events): Unable to use content based filtering patterns in detailType HOT 1
- dms: CfnDataProviderProps is missing the 'Settings' field of AWS::DMS::DataProvider. HOT 1
- aws_s3: minimum_tls_version alllows setting invalid TLS versions HOT 2
- s3: CorsRule not setting exposeHeaders due to a mis-spelled property name HOT 2
- cdk-lib: Typescript template uses obsolete 'source-map-support/register' HOT 1
- integ-tests-alpha: Access Denied when trying to list S3 buckets with awsApiCall: HOT 1
- Disable fallback to user's role when a `cdk-*` role cannot be assumed HOT 1
- events: events.targets.SqsQueue does not grant permission to SQS for a EventBridge rule to publish a message HOT 5
- asset-staging.ts: target platform ignored when bundling asset HOT 2
- ❗ NOTICE (diff): cannot read properties of undefined on diff. HOT 7
- (aws-elasticloadbalancingv2): Prevent using `denyAllIgwTraffic` for load balancers that do not use dual stack addressing HOT 1
- rds: Amazon RDS for PostgreSQL version 16.3 support HOT 1
- elbv2: IPv6 only support HOT 2
- aws-s3-assets: Object keys don't preserve the full extension name for Python project HOT 1
- aws_ecr_assets: produces invalid tasks by linking to empty "attestation" image layer HOT 2
- rds: Bug in writer/reader definition of clusters
- CrossAccountZoneDelegationRecord: Validation fails for public and private hosted zone with the same name
- LambdaAction fails if same Lambda added to multiple alarms
- aws-cdk-lib.aws_stepfunctions: Generated Policy for StateMachine Incorrect for StepFunctionsStartExecution step with Aliasing/Versioning
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aws-cdk.