Remove `*` resource configuration for role policy
sbstjn opened this issue · comments
Sebastian Müller commented
The permissions for the created role must have a restricted access policy. The current implementation should not be used in production environments.
'Statement': [
{
'Effect': 'Allow',
'Action': [
'dynamodb:DescribeTable',
'dynamodb:UpdateTable',
'cloudwatch:PutMetricAlarm',
'cloudwatch:DescribeAlarms',
'cloudwatch:DeleteAlarms',
'cloudwatch:GetMetricStatistics',
'cloudwatch:SetAlarmState'
],
'Resource': '*'
}
]
Sebastian Müller commented
A first step to a more secure solution would be at least a policy bound to the account and table name:
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:UpdateTable"
],
"Resource": "arn:aws:dynamodb:*:AccountID:table/TableName",
"Effect": "Allow"
}
Sebastian Müller commented
Included in the 0.1.1
release.