Remove `*` resource configuration for role policy

Question

Remove `*` resource configuration for role policy

sbstjn opened this issue 7 years ago · comments

The permissions for the created role must have a restricted access policy. The current implementation should not be used in production environments.

  'Statement': [
    {
      'Effect': 'Allow',
      'Action': [
        'dynamodb:DescribeTable',
        'dynamodb:UpdateTable',
        'cloudwatch:PutMetricAlarm',
        'cloudwatch:DescribeAlarms',
        'cloudwatch:DeleteAlarms',
        'cloudwatch:GetMetricStatistics',
        'cloudwatch:SetAlarmState'
      ],
      'Resource': '*'
    }
  ]

Sebastian Müller · Answer 1 · Wed Jul 19 2017 16:22:43 GMT+0800 (China Standard Time)

A first step to a more secure solution would be at least a policy bound to the account and table name:

{
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:UpdateTable"
            ],
            "Resource": "arn:aws:dynamodb:*:AccountID:table/TableName",
            "Effect": "Allow"
        }

Sebastian Müller · Answer 2 · Wed Jul 19 2017 16:50:46 GMT+0800 (China Standard Time)

Included in the 0.1.1 release.